Process

unknown

forfiles.exe

forfiles.exe selects files by name, date, or size and runs a command for each one. Administrators use it in maintenance scripts. Attackers use it as an indirect way to launch programs, executing a command through a signed binary rather than calling it directly.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • forfiles /p c:\windows\system32 /m notepad.exe /c "{CMD}"Execute · Use forfiles to start a new process to evade defensive counter measures
  • forfiles /p c:\windows\system32 /m notepad.exe /c "{PATH_ABSOLUTE}:evil.exe"ADS · Use forfiles to start a new process from a binary hidden in an alternate data stream

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

forfiles.exe iterates over a set of files matching criteria and runs a command (/c) for each match, substituting tokens like the file name. The command it runs can be any program, which is the behavior attackers repurpose: forfiles becomes the launcher, so the real command appears as a child of forfiles rather than of the script or shell. The genuine binary lives at C:\Windows\System32\forfiles.exe.

Legitimately, forfiles is used in cleanup and batch jobs, for example deleting files older than a certain date. The command it runs is what gives an instance meaning.

Security notes

forfiles.exe is used for indirect command execution (T1202). By wrapping a payload in forfiles /p C:\ /m <file> /c "cmd /c <command>", an attacker has forfiles spawn the real command, so detections and parent-child rules that watch for a shell directly under an Office app or script host see forfiles in between instead. The command itself still runs, just one level removed.

Because forfiles is a legitimate maintenance tool, the /c command is what matters. forfiles launching a shell, a LOLBIN, or a download from a temp folder, especially under an unusual parent, is the case to examine.

Anomaly signals4
  • Image path other than C:\Windows\System32\forfiles.exehigh
  • /c running cmd.exe, powershell.exe, or another LOLBINhigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • A /c command that downloads or executes content from a user-writable pathhigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof forfiles.exe?
Edit this page on GitHub