Skip to content
Reverse Engineering
Living off the Landbeginner

Forfiles Proxy Execution

Attackers abuse the signed forfiles.exe to spawn child processes and proxy command execution under a trusted Windows binary.

forfiles.exe is a signed, Microsoft-shipped command-line utility that selects files matching a pattern and runs a command for each one — the Windows analogue of a find -exec loop. Its /c switch takes an arbitrary command line, and forfiles executes it as a child process. That single feature turns it into a convenient proxy: an attacker can launch any payload while the visible parent is the trusted forfiles.exe.

Because it is signed, present by default, and legitimately used in batch scripts, forfiles helps attackers break the obvious parent/child relationship (for example, hiding the fact that an Office macro ultimately launched PowerShell) and to satisfy allow-lists that trust system binaries. An analyst encounters it as a launcher: the interesting behaviour is in the command passed to /c, not in forfiles itself.

How it works

The attacker points forfiles at any guaranteed-to-match path and uses /c to run the real command for the matched file:

text
forfiles.exe /p C:\Windows\System32 /m notepad.exe /c "cmd /c powershell -enc <base64>"

forfiles finds notepad.exe, then executes the /c command — here spawning cmd.exe, which spawns powershell.exe. The file pattern is just a vehicle; the payload is the /c argument. Inside /c, the special tokens @path, @file, and @fname can be used to assemble paths and obfuscate the command. Analysts should recognise forfiles with a /c value that invokes cmd, powershell, wscript, mshta, regsvr32, or rundll32 as the abuse signature — legitimate uses typically run benign file operations like copy, del, or echo.

Detection & analysis

Static analysis:

  • The artefact is usually a script (.bat/.cmd/macro) or a command line, not a binary. Read the /c value: interpreter invocations (cmd, powershell, wscript, cscript, mshta), encoded blobs, http/https URLs, or paths in %TEMP%/%APPDATA% indicate abuse.
  • Triage with regex/YARA: forfiles combined with /c and a script-host or shell reference is the high-signal pattern. Deobfuscate @path/@fname token substitution used to hide the real target.

Dynamic analysis:

  • In a sandbox, watch the process tree rooted at forfiles.exe. The key indicator is the child process: forfiles.exe spawning cmd.exe, powershell.exe, mshta.exe, regsvr32.exe, or rundll32.exe is highly suspicious, especially when those children then beacon or drop files.
  • Observe whether the chain reaches the network or writes executables. Benign forfiles loops touch the file system locally and exit; an instance that fans out into interpreters and outbound connections is anomalous.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \forfiles.exe AND the command line contains /c together with cmd, powershell, wscript, cscript, mshta, regsvr32, or rundll32. Reinforce with a parent/child rule: forfiles.exe whose parent is an Office app or script host, or that spawns any of the above interpreters, is high-confidence. Correlate with Event ID 3 (network) from the spawned child PID to catch the downstream payload.

Votes

Comments(0)