Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Sigma rule (View on GitHub)
1title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
2id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
3status: experimental
4description: |
5 Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
6 This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
7 This behavior has been observed in various malicious lnk files.
8references:
9 - https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2025-11-12
12tags:
13 - attack.execution
14 - attack.t1059.003
15 - attack.defense-evasion
16 - attack.t1027.010
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_tokens:
22 CommandLine|contains|all:
23 - 'for /f'
24 - 'tokens='
25 - 'in ('
26 - 'dir'
27 selection_tokens_parent:
28 ParentCommandLine|contains|all:
29 - 'for /f'
30 - 'tokens='
31 - 'in ('
32 - 'dir'
33 condition: 1 of selection_*
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Suspicious Space Characters in TypedPaths Registry Path - FileFix
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Obfuscated PowerShell MSI Install via WindowsInstaller COM