Suspicious AWS S3 Connection via Script Interpreter
Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential malicious activity.
Rule type: eql
Rule indices:
- logs-endpoint.events.network-*
- logs-endpoint.events.process-*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Command and Control
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
(process.name in ("osascript", "node") or process.name like "python*") and
process.args_count == 1]
[network where host.os.type == "macos" and event.type == "start" and
destination.domain like ("s3.*.amazonaws.com", "*.s3*.amazonaws.com", "*.cloudfront.net")]
Framework: MITRE ATT&CK
Tactic:
- Name: Command and Control
- Id: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Web Service
- Id: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/
Framework: MITRE ATT&CK
Tactic:
- Name: Exfiltration
- Id: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Web Service
- Id: T1567
- Reference URL: https://attack.mitre.org/techniques/T1567/
Sub Technique:
- Name: Exfiltration to Cloud Storage
- Id: T1567.002
- Reference URL: https://attack.mitre.org/techniques/T1567/002/