Crucial System Files That Can Be Leveraged by Threat Actors(Unexplored LOLBIN)

Spread The Knowledge 😌

System files are integral to the smooth operation of your Windows operating system. However, when these files fall into the wrong hands, they can be leveraged for malicious purposes. In this blog, we will discuss their capabilities, and the potential threats they pose.

ForFiles.exe

Location: ‘C:\Windows\System32\forfiles.exe’

Supported Versions: Windows Vista onwards

Capabilities:

1. File Selection

  • Location: Specify a specific directory path using the ‘/P’ switch.
  • Filename Pattern: Use wildcards (‘*’) to match specific file patterns with the ‘/M’ switch.
  • Date: Filter files based on their creation or modification date using the ‘/D’ switch.

2. Information Display:

  • Filename
  • File size
  • Date modified
  • Directory path

3. Command Execution:

  • Deleting old files
  • Moving files to a different location
  • Renaming files
  • Copying files with specific criteria

Potential Threats from ForFiles.exe:

While ‘forfiles.exe’ is a legitimate tool, it can be misused maliciously. Here are some potential threats:

1. Data Manipulation:

  • Threat: Identifying and manipulating specific files on a system.
  • Risk: Deleting critical system files to disrupt functionality, modifying configuration files to gain unauthorized access, or encrypting user data for ransom demands.

2. Data Exfiltration:

  • Threat: Extracting sensitive information from a system.
  • Risk: Displaying contents of sensitive files like password lists or configuration files, identifying and extracting specific data based on file names or patterns, and using other tools in combination with ‘forfiles.exe’ to exfiltrate data.

3. Indirect Command Execution:

  • Threat: Bypassing security measures to execute commands.
  • Risk: Running malicious commands that might otherwise be flagged as suspicious.

Example

This command searches for `.txt` files in the `C:\Users\` directory that were modified more than 30 days ago and displays their names.

Leave a Reply