Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
T1117: regsvr32
T1170: MSHTA
T1196: Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
T1191: CMSTP
T1118: InstallUtil
Using MSBuild to Execute Shellcode in C#
T1202: Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
T1216: pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

T1202: Forfiles Indirect Command Execution

Defense Evasion

This technique launches an executable without a cmd.exe.

Execution

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

Observations

Defenders can monitor for process creation/commandline logs to detect this activity:

References

Previous
Using MSBuild to Execute Shellcode in C#
Next
Application Whitelisting Bypass with WMIC and XSL
Last updated 2 years ago
Contents
Execution
Observations
References