Level 21
The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are monitoring binaries such as “cmd.exe“. In certain occasions the techniques described below could be used to bypass application whitelisting products if rules are not configured properly (whitelist by path or file name) or to confuse windows events. The purpose of the article is to gather various binaries that could indirectly execute a command as these has been discovered by various researchers over Twitter (credits to the following people: Julian Horoszkiewicz, Eric, Oddvar Moe, Evi1cg, Daniel Bohannon, Adam).
This time, the "forfiles" command get abused.