Elastic Security Detection Rules

Suspicious AWS S3 Connection via Script Interpreter

Last updated 2 days ago on 2026-02-09
Created 12 days ago on 2026-01-30

About

Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential malicious activity.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Web Service (T1102)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

Exfiltration Over Web Service (T1567)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
FROM logs-endpoint.events.network-*
| WHERE host.os.type == "macos" 
    AND event.type == "start"
    AND (process.name == "osascript" 
         OR process.name == "node" 
         OR process.name LIKE "python*")
    AND (destination.domain LIKE "s3.*.amazonaws.com" 
         OR destination.domain LIKE "*.s3*.amazonaws.com" 
         OR destination.domain LIKE "*.cloudfront.net")
| STATS Esql.connection_count = COUNT(*) 
  BY process.executable, user.name, host.name, destination.domain
| WHERE Esql.connection_count >= 5
| KEEP Esql.*, process.executable, user.name, host.name, destination.domain

Install detection rules in Elastic Security

Detect Suspicious AWS S3 Connection via Script Interpreter in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).