Suspicious CMD Findstr Command with For Loop and Token Parsing

Rule Info

Name
Suspicious CMD Findstr Command with For Loop and Token Parsing
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious command patterns using findstr with for loops and token/delimiter parsing that may indicate data extraction and processing techniques. Adversaries may use findstr combined with for loops to search, extract, and parse specific content from files or command output, often as part of reconnaissance or data exfiltration activities.
Reference
https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell
Date
2025-12-17 00:00:00
Modified
None
Id
283e2d9e-6ce4-4fc2-b739-6e7bfbe4e459
Tags
attack.execution attack.t1059.003 attack.defense-evasion attack.t1027.010
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022