Elastic Security Detection Rules

Curl or Wget Spawned via Node.js

Last updated 22 days ago on 2025-12-23
Created 4 months ago on 2025-09-18

About

This rule detects when Node.js, directly or via a shell, spawns the curl or wget command. This may indicate command and control behavior. Adversaries may use Node.js to download additional tools or payloads onto the system.
Tags
Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: Elastic EndgameData Source: Windows Security Event LogsData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeData Source: Auditd ManagerLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Application Layer Protocol (T1071)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query
text code block:
process where event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
(
  process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
  process.command_line like~ ("*curl*http*", "*wget*http*")
) or 
(
  process.name in ("curl", "wget", "curl.exe", "wget.exe")
)
) and not (
  process.command_line like ("*127.0.0.1*", "*localhost*", "*/home/*/.claude/shell-snapshots/*", "*/root/.claude/shell-snapshots/snapshot*") or
  process.parent.executable like ("/*/.cursor-server/*node", "/root/.nvm/*/node", "/*/.vscode-server/*/node", "/home/*/.nvm/*/node", "/home/*/cursor-agent/*/node") 
)

Install detection rules in Elastic Security

Detect Curl or Wget Spawned via Node.js in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).