Network Connection to OAST Domain via Script Interpreter

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a package service such as npm, gems, or a script interpreter makes an outbound network connection 
 11to an OAST (Out-of-band Application Security Testing) domain. Threat actors have been using OAST domains to 
 12exfiltrate sensitive data from compromised systems via malicious packages.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.network-*", "logs-endpoint.events.process-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Network Connection to OAST Domain via Script Interpreter"
 19references = [
 20    "https://socket.dev/blog/weaponizing-oast-how-malicious-packages-exploit-npm-pypi-and-rubygems"
 21]
 22risk_score = 73
 23rule_id = "54214c47-be7c-4f6b-8ef2-78832f9f8f42"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: macOS",
 28    "Use Case: Threat Detection",
 29    "Tactic: Command and Control",
 30    "Data Source: Elastic Defend",
 31    "Resources: Investigation Guide"
 32]
 33type = "eql"
 34note = """## Triage and analysis
 35
 36> **Disclaimer**:
 37> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 38
 39### Investigating Network Connection to OAST Domain via Script Interpreter
 40
 41Out-of-Band Application Security Testing (OAST) services such as interact.sh, burpcollaborator.net, and similar platforms are designed for security testing to detect vulnerabilities through out-of-band data channels. However, threat actors abuse these same services for data exfiltration, command and control, and DNS-based exploitation. This detection rule identifies script interpreters or suspicious processes connecting to known OAST domains, which may indicate exploitation activity or unauthorized security testing.
 42
 43### Possible investigation steps
 44
 45- Verify with your security team whether authorized penetration testing or red team exercises are currently underway that would involve OAST services.
 46- Review the process.name and process.executable fields to identify which application initiated the OAST connection and determine if it is a known vulnerable application.
 47- Examine the dns.question.name field to capture the full OAST subdomain, as the subdomain often contains encoded data or unique identifiers used by attackers.
 48- Analyze the process.parent.executable and process.command_line to understand how the connecting process was spawned and identify the potential vulnerability being exploited.
 49- Check for any HTTP request or response data associated with the OAST connection to identify what data may have been exfiltrated.
 50- Investigate the user.name and host.name to determine the scope of affected systems and user accounts.
 51- Review web application logs and proxy data for injection attempts or exploitation activity that may have triggered the OAST callback.
 52
 53### False positive analysis
 54
 55- Authorized security researchers and penetration testers may use OAST services during sanctioned vulnerability assessments. Confirm testing windows with the security team before escalating.
 56- Bug bounty hunters testing your organization's applications may trigger OAST connections. Verify if bug bounty programs are active and expected.
 57- Security training or capture-the-flag exercises may involve OAST services for educational purposes. Confirm with training coordinators if such exercises are scheduled.
 58- Some commercial security scanning tools may use OAST-like services for vulnerability detection. Verify if automated security scanning is running.
 59
 60### Response and remediation
 61
 62- If unauthorized, immediately block the OAST domain at the network perimeter, DNS resolver, and proxy to prevent further communication.
 63- Isolate the affected system to prevent lateral movement or additional data exfiltration.
 64- Identify the vulnerable application or injection point that led to the OAST callback and apply emergency patches or mitigations.
 65- Review the OAST subdomain and any captured data to assess the scope of information exposure.
 66- Conduct a thorough code review of affected applications to identify and remediate the underlying vulnerability.
 67- Implement web application firewall rules to detect and block common injection patterns that lead to OAST exploitation.
 68- Escalate to the incident response team for further investigation if the activity indicates active exploitation or compromise.
 69"""
 70query = '''
 71sequence by process.entity_id with maxspan=1m
 72  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
 73    (process.name == "node" or process.name like ("python*", "ruby*", "perl*"))]
 74  [network where host.os.type == "macos" and event.type == "start" and destination.domain like "*.oast*"]
 75'''
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79
 80  [rule.threat.tactic]
 81  name = "Command and Control"
 82  id = "TA0011"
 83  reference = "https://attack.mitre.org/tactics/TA0011/"
 84
 85  [[rule.threat.technique]]
 86  name = "Web Service"
 87  id = "T1102"
 88  reference = "https://attack.mitre.org/techniques/T1102/"
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93  [rule.threat.tactic]
 94  name = "Exfiltration"
 95  id = "TA0010"
 96  reference = "https://attack.mitre.org/tactics/TA0010/"
 97
 98  [[rule.threat.technique]]
 99  name = "Exfiltration Over Web Service"
100  id = "T1567"
101  reference = "https://attack.mitre.org/techniques/T1567/"