Curl or Wget Spawned via Node.js

About

Tags

Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: Elastic EndgameData Source: Windows Security Event LogsData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeData Source: Auditd ManagerLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*auditbeat-*logs-auditd_manager.auditd-*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

system(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

Query

process where event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
  (
    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
    process.command_line like~ ("*curl*http*", "*wget*http*")
  ) or 
  (
    process.name in ("curl", "wget", "curl.exe", "wget.exe")
  )
) and
 not process.command_line like ("*127.0.0.1*", "*localhost*")