This analytic detection rule focuses on identifying extensive use of the forfiles.exe command on Windows endpoints, which is commonly associated with post-exploitation behaviors, particularly by malicious actors. The rule utilizes data from Endpoint Detection and Response (EDR) systems, analyzing logs of process executions, specifically looking for instances where forfiles.exe is executed excessively - defined in this rule as 20 or more occurrences within a one-minute interval. This is critical as forfiles.exe can batch process multiple files through command execution, a tactic exploited by ransomware such as Prestige to facilitate data exfiltration and other nefarious activities. The detection logic aggregates relevant data, including process GUIDs and parent processes, and filters results to highlight potentially malicious behavior. Moreover, this detection is validated by references provided that elaborate on the utilization and risks associated with forfiles.exe.