Suspicious AWS S3 Connection via Script Interpreter
Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential malicious activity.
Rule type: esql
Rule indices:
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Command and Control
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
FROM logs-endpoint.events.network-*
| WHERE host.os.type == "macos"
AND event.type == "start"
AND (process.name == "osascript"
OR process.name == "node"
OR process.name LIKE "python*")
AND (destination.domain LIKE "s3.*.amazonaws.com"
OR destination.domain LIKE "*.s3*.amazonaws.com"
OR destination.domain LIKE "*.cloudfront.net")
| STATS Esql.connection_count = COUNT(*)
BY process.executable, user.name, host.name, destination.domain
| WHERE Esql.connection_count >= 5
| KEEP Esql.*, process.executable, user.name, host.name, destination.domain
Framework: MITRE ATT&CK
Tactic:
- Name: Command and Control
- Id: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Web Service
- Id: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/
Framework: MITRE ATT&CK
Tactic:
- Name: Exfiltration
- Id: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Web Service
- Id: T1567
- Reference URL: https://attack.mitre.org/techniques/T1567/
Sub Technique:
- Name: Exfiltration to Cloud Storage
- Id: T1567.002
- Reference URL: https://attack.mitre.org/techniques/T1567/002/