Attack Chain

1. A user executes a script interpreter (osascript, node, python) on a macOS system.
2. The script contains code to interact with AWS S3 or CloudFront.
3. The script establishes a network connection to an AWS S3 bucket (s3..amazonaws.com or .s3.amazonaws.com) or a CloudFront domain (.cloudfront.net).
4. The script retrieves a second-stage payload or configuration from the S3 bucket or CloudFront distribution.
5. The script polls the same S3 bucket or CloudFront-backed URL for commands at regular intervals.
6. Alternatively, the script uploads stolen data to the S3 bucket using multipart upload patterns.
7. The attacker uses the S3 bucket for command and control or data exfiltration.

Impact

A successful attack could lead to data exfiltration or remote command execution on the compromised macOS system. The attacker can use the S3 bucket to store stolen data or to control the compromised system, potentially leading to further damage. Since the rule triggers on a high number of connections (>=20), it indicates potentially automated behavior.

Recommendation

• Deploy the Sigma rule macOS Suspicious AWS S3 Connection via Script Interpreter to your SIEM and tune the threshold (connection_count >= 20) for your environment.
• Investigate any alerts triggered by the Sigma rule, focusing on the process ancestry, command-line arguments, and associated network connections.
• Review concurrent endpoint activity from the same process and user, such as file downloads to writable/temp locations, new executable creation, permission changes, or immediate execution of newly written payloads.
• Monitor network traffic for unusually large outbound byte counts, multipart upload patterns, and matching connections from other hosts using the same domain.