Suspicious AWS S3 Connection via Script Interpreter

This rule detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains on macOS. Threat actors have been observed using S3 buckets for both command and control and data exfiltration. This detection focuses on identifying script interpreters connecting to cloud storage that warrant investigation for potential malicious activity. The rule triggers when a script interpreter establishes a high number of connections (>= 20) to AWS S3 or CloudFront, suggesting automated or scripted behavior rather than normal application traffic.

Attack Chain

1. A user executes a script interpreter (osascript, node, python) on a macOS system.
2. The script contains code to interact with AWS S3 or CloudFront.
3. The script establishes a network connection to an AWS S3 bucket (s3..amazonaws.com or .s3.amazonaws.com) or a CloudFront domain (.cloudfront.net).
4. The script retrieves a second-stage payload or configuration from the S3 bucket or CloudFront distribution.
5. The script polls the same S3 bucket or CloudFront-backed URL for commands at regular intervals.
6. Alternatively, the script uploads stolen data to the S3 bucket using multipart upload patterns.
7. The attacker uses the S3 bucket for command and control or data exfiltration.

Impact

A successful attack could lead to data exfiltration or remote command execution on the compromised macOS system. The attacker can use the S3 bucket to store stolen data or to control the compromised system, potentially leading to further damage. Since the rule triggers on a high number of connections (>=20), it indicates potentially automated behavior.

Recommendation

• Deploy the Sigma rule macOS Suspicious AWS S3 Connection via Script Interpreter to your SIEM and tune the threshold (connection_count >= 20) for your environment.
• Investigate any alerts triggered by the Sigma rule, focusing on the process ancestry, command-line arguments, and associated network connections.
• Review concurrent endpoint activity from the same process and user, such as file downloads to writable/temp locations, new executable creation, permission changes, or immediate execution of newly written payloads.
• Monitor network traffic for unusually large outbound byte counts, multipart upload patterns, and matching connections from other hosts using the same domain.