S0193: Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [1]
Analyst context for executives and security teams
Forfiles matters because it is a legitimate Windows utility that can select files or directories and run commands against them from the command line, Run window, or scripts. That makes it useful for normal administration and batch jobs, but also material for defenders because ATT&CK links it to file discovery, local data collection, and indirect command execution. The business issue is not the presence of Forfiles alone; it is whether the organization can distinguish approved automation from suspicious use that searches files, stages data, or runs commands through a trusted utility.
Executive priority
Treat Forfiles as a control-validation item for Windows administrative tooling and living-off-the-land activity. Leaders should ask whether SOC and IR teams have enough endpoint and script execution evidence to explain who ran Forfiles, from where, with what arguments, and whether it touched sensitive file locations. This supports incident scoping, audit evidence for monitoring coverage, and prioritization of controls around command execution, administrative scripts, and sensitive data locations.
Technical view
ATT&CK provides no dedicated detection text for Forfiles, so validation should be relationship-driven. Confirm visibility for executions of forfiles.exe, parent process context, command-line arguments, script or batch-file sources, user identity, working directory, and file paths selected. Triage should focus on use patterns aligned to the related techniques: File and Directory Discovery, Data from Local System, and Indirect Command Execution. Because Forfiles has legitimate batch-job use, detection should emphasize unusual parents, unusual users, sensitive paths, uncommon command arguments, and execution chains that avoid expected command interpreters or administrative workflows.
Likely telemetry
- Endpoint process creation events for forfiles.exe and parent/child processes
- Command-line arguments and working directory
- Script and batch-file execution records where available
- User, host, and logon context tied to execution
- File and directory access metadata for selected paths, especially sensitive locations
Detection direction
- Baseline approved administrative and batch-job use before alerting on all Forfiles execution.
- Prioritize detections where Forfiles enumerates broad directory trees, targets sensitive file locations, or launches unexpected child processes.
- Correlate Forfiles activity with related discovery and collection behaviors rather than treating the utility name alone as malicious.
- Review parent processes such as interactive shells, Run-window initiated execution, scripts, or unusual automation contexts.
- Account for false positives from legitimate maintenance jobs, inventory scripts, and scheduled administrative tasks.
Mitigation priorities
- Document and approve legitimate Forfiles-based administrative jobs so defenders can identify outliers.
- Ensure endpoint logging captures process creation, command line, parent process, user, and script context.
- Restrict or monitor command execution paths where trusted utilities can be used to indirectly launch commands, consistent with business need.
- Apply least privilege to users and service accounts that can access sensitive local data and run administrative scripts.
- Include Forfiles scenarios in incident response playbooks for discovery, collection, and indirect command execution triage.
Analyst notes and limits
The supplied ATT&CK object identifies Forfiles as a Windows utility and links it to APT28 use plus techniques T1005, T1083, and T1202. The most defensible analytic value is behavioral: determine whether Forfiles is being used in expected automation or as a proxy for searching files and executing commands. Local baselines are essential because the tool has normal administrative uses.
ATT&CK provides no official detection guidance, no object-level tactics, no object-level platforms field, and no aliases or labels. The relationship descriptions are partial, and technique/platform details should not be overgeneralized beyond the supplied context. Environment-specific telemetry and approved-use inventories are required to assess risk or coverage.
Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1202 | Indirect Command Execution | |
| Enterprise | T1005 | Data from Local System | Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).CitationÜberwachung APT28 Forfiles June 2015 |
| Enterprise | T1083 | File and Directory Discovery | Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)CitationÜberwachung APT28 Forfiles June 2015 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 93b2040db4a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Forfiles Aug 2016
Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.
Open source URL -
[2]
mitre-attack S0193Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.