Suspicious Usage of For Loop with Recursive Directory Search in CMD

Rule Info

Name
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Description
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Reference
https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
Date
2025-11-12 00:00:00
Modified
None
Id
2782fbd8-b662-4eb5-9962-5bfbfb671e7b
Tags
attack.execution attack.t1059.003 attack.defense-evasion attack.t1027.010
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2782fbd8-b662-4eb5-9962-5bfbfb671e7b

Rule History

Author
Title
Date
Commit
jstnk9
Merge PR #5519 from @jstnk9 - Suspicious Use of for Loop with Directory Search in CMD
2025-11-21
55e61044f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022