Suspicious AWS S3 Connection via Script Interpreter

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound 
 11connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control 
 12and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential 
 13malicious activity.
 14"""
 15from = "now-9m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "Suspicious AWS S3 Connection via Script Interpreter"
 19note = """ ## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Suspicious AWS S3 Connection via Script Interpreter
 25
 26This rule flags macOS script interpreters (AppleScript, Node.js, Python) that repeatedly initiate outbound connections to AWS S3 or CloudFront with little or no command context, a common sign of scripted automation rather than normal app traffic. Attackers often use a short Python or Node one-liner to fetch a second-stage payload from an S3 bucket and then poll the same bucket or a CloudFront-backed URL for commands or to upload stolen data.
 27
 28### Possible investigation steps
 29
 30- Pivot from the flagged executable to full process ancestry and command-line/script file to determine what code initiated the S3/CloudFront traffic and whether it was launched interactively, by a LaunchAgent/Daemon, or by another app.  
 31- Identify the specific bucket/distribution and object paths involved using available URL/SNI/HTTP telemetry, then validate ownership and reputation by correlating with cloud account inventory, known-good tooling, and threat intel.  
 32- Review concurrent endpoint activity from the same process and user such as file downloads to writable/temp locations, new executable creation, permission changes, or immediate execution of newly written payloads.  
 33- Hunt for follow-on behaviors consistent with C2 or exfiltration including repeated polling intervals, unusually large outbound byte counts, multipart upload patterns, and matching connections from other hosts using the same domain.  
 34- If suspicious, capture and preserve the script contents and related artifacts (Python/Node packages, AppleScript files, launch plist, cron entries) and isolate the host while blocking the destination domain at egress.
 35
 36### False positive analysis
 37
 38- A developer or build/CI workflow runs Python/Node scripts on macOS to fetch artifacts or dependencies from an organization-owned S3 bucket or CloudFront distribution, producing repeated connections during installs, tests, or packaging.  
 39- A legitimate AppleScript/Python/Node automation (e.g., user logon script, LaunchAgent task, or scheduled job) periodically uploads logs/backups or syncs configuration to S3/CloudFront, resulting in bursty, minimal-argument interpreter network starts that exceed the connection threshold.
 40
 41### Response and remediation
 42
 43- Isolate the affected macOS host from the network and immediately block the observed S3/CloudFront domain(s) and resolved IPs at egress while allowing access needed for forensics and management.
 44- Acquire and preserve the initiating script and execution context by collecting the interpreter’s on-disk script/one-liner source, parent process details, relevant LaunchAgents/LaunchDaemons plist files, and any newly written binaries or archives associated with the same time window.
 45- Eradicate persistence and tooling by removing or disabling the malicious launch plist/cron entries, deleting the identified script and any downloaded payloads, and revoking/quarantining any Python/Node packages or AppleScript components tied to the outbound S3 activity.
 46- Reset and revoke credentials exposed on the host by rotating the user’s passwords/tokens, removing any AWS keys found in environment variables/config files (e.g., CLI config, application secrets), and invalidating active sessions associated with the user or host.
 47- Recover by reimaging or restoring the endpoint from a known-good baseline if payload execution or system modification is confirmed, then reintroduce it to the network only after validating no recurring connections to the same S3/CloudFront endpoints.
 48- Escalate to incident response and cloud security if multiple hosts show the same destination domain or bucket, the script performs uploads or handles sensitive files, or you identify AWS credentials, data staging, or active command polling indicative of C2 or exfiltration.
 49"""
 50risk_score = 47
 51rule_id = "05f2b649-dc03-4e9a-8c4e-6762469e8249"
 52severity = "medium"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: macOS",
 56    "Use Case: Threat Detection",
 57    "Tactic: Command and Control",
 58    "Data Source: Elastic Defend",
 59    "Resources: Investigation Guide",
 60]
 61type = "esql"
 62query = '''
 63FROM logs-endpoint.events.network-*
 64| WHERE host.os.type == "macos" 
 65    AND event.type == "start"
 66    AND (process.name == "osascript" 
 67         OR process.name == "node" 
 68         OR process.name LIKE "python*")
 69    AND (destination.domain LIKE "s3.*.amazonaws.com" 
 70         OR destination.domain LIKE "*.s3*.amazonaws.com" 
 71         OR destination.domain LIKE "*.cloudfront.net")
 72| STATS Esql.connection_count = COUNT(*) 
 73  BY process.executable, user.name, host.name, destination.domain
 74| WHERE Esql.connection_count >= 5
 75| KEEP Esql.*, process.executable, user.name, host.name, destination.domain
 76'''
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81  [rule.threat.tactic]
 82  name = "Command and Control"
 83  id = "TA0011"
 84  reference = "https://attack.mitre.org/tactics/TA0011/"
 85
 86  [[rule.threat.technique]]
 87  name = "Web Service"
 88  id = "T1102"
 89  reference = "https://attack.mitre.org/techniques/T1102/"
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94  [rule.threat.tactic]
 95  name = "Exfiltration"
 96  id = "TA0010"
 97  reference = "https://attack.mitre.org/tactics/TA0010/"
 98
 99  [[rule.threat.technique]]
100  name = "Exfiltration Over Web Service"
101  id = "T1567"
102  reference = "https://attack.mitre.org/techniques/T1567/"
103
104    [[rule.threat.technique.subtechnique]]
105    name = "Exfiltration to Cloud Storage"
106    id = "T1567.002"
107    reference = "https://attack.mitre.org/techniques/T1567/002/"