← Back to Explore
sigmamediumHunting
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Detection Query
selection_tokens:
CommandLine|contains|all:
- for /f
- tokens=
- in (
- dir
selection_tokens_parent:
ParentCommandLine|contains|all:
- for /f
- tokens=
- in (
- dir
condition: 1 of selection_*
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Created
2025-11-12
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.003attack.defense-evasionattack.t1027.010
Raw Content
title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
references:
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
- attack.execution
- attack.t1059.003
- attack.defense-evasion
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_tokens:
CommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
selection_tokens_parent:
ParentCommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium