Suspicious CMD Echo of JavaScript Script Tag to File or Pipe

Rule Info

Name
Suspicious CMD Echo of JavaScript Script Tag to File or Pipe
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects usage of 'cmd /c echo <script...' with output redirected to a file or piped which may indicate suspicious JavaScript injection or script drop activity or one-liner script execution attempts. Attackers may use this technique to create or execute JavaScript code on the target system, potentially for malicious purposes such as downloading and executing additional payloads, or for persistence. Investigation of such events should consider the context of the command execution, including the content being echoed and the destination of the output.
Reference
https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
Date
2026-04-03 00:00:00
Modified
None
Id
614cb2a1-774b-4db7-b7c9-f9cbe8cf56c0
Tags
attack.execution attack.t1059.003 attack.t1059.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022