From 4eed21c3e36fd984baa496d1736d634041182fd3 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Tue, 19 May 2026 21:52:37 +0530 Subject: [PATCH 1/3] [Rule Tuning] Suspicious AWS S3 Connection via Script Interpreter --- ..._and_control_aws_s3_connection_via_script.toml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 3b50a6efad2..740569a89f1 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/05/19" [rule] author = ["Elastic"] @@ -69,10 +69,15 @@ FROM logs-endpoint.events.network-* AND (destination.domain LIKE "s3.*.amazonaws.com" OR destination.domain LIKE "*.s3*.amazonaws.com" OR destination.domain LIKE "*.cloudfront.net") -| STATS Esql.connection_count = COUNT(*) - BY process.executable, user.name, host.name, destination.domain -| WHERE Esql.connection_count >= 5 -| KEEP Esql.*, process.executable, user.name, host.name, destination.domain + AND (process.code_signature.exists == "false" OR process.code_signature.trusted == "false") + AND NOT (process.executable LIKE "/opt/homebrew/*") +| STATS Esql.connection_count = COUNT(*), + Esql.process_executable_values = VALUES(process.executable), + Esql.code_signature_exists_values = VALUES(process.code_signature.exists), + Esql.code_signature_trusted_values = VALUES(process.code_signature.trusted) + BY user.name, host.name, destination.domain, process.entity_id +| WHERE Esql.connection_count >= 20 +| KEEP Esql.*, user.name, host.name, destination.domain, process.entity_id ''' [[rule.threat]] From 2049c54fa1cfe48f35b6c6edcfed292a0bc5d8f5 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Tue, 19 May 2026 22:02:56 +0530 Subject: [PATCH 2/3] Add xcode path --- .../macos/command_and_control_aws_s3_connection_via_script.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 740569a89f1..184539bff2f 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -70,7 +70,7 @@ FROM logs-endpoint.events.network-* OR destination.domain LIKE "*.s3*.amazonaws.com" OR destination.domain LIKE "*.cloudfront.net") AND (process.code_signature.exists == "false" OR process.code_signature.trusted == "false") - AND NOT (process.executable LIKE "/opt/homebrew/*") + AND NOT (process.executable LIKE "/opt/homebrew/*" OR process.executable LIKE "/Applications/Xcode*.app/*") | STATS Esql.connection_count = COUNT(*), Esql.process_executable_values = VALUES(process.executable), Esql.code_signature_exists_values = VALUES(process.code_signature.exists), From a88155b50014e0e0d7ee3578855a9df5a5bd01a0 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 21 May 2026 11:23:23 +0530 Subject: [PATCH 3/3] PR review comments --- ..._control_aws_s3_connection_via_script.toml | 25 ++++++++----------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 184539bff2f..590354543b3 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -60,24 +60,19 @@ tags = [ ] type = "esql" query = ''' -FROM logs-endpoint.events.network-* +FROM logs-endpoint.events.network-* | WHERE host.os.type == "macos" - AND event.type == "start" + AND event.type == "start" AND (process.name == "osascript" - OR process.name == "node" - OR process.name LIKE "python*") + OR process.name == "node" + OR process.name LIKE "python*") AND (destination.domain LIKE "s3.*.amazonaws.com" - OR destination.domain LIKE "*.s3*.amazonaws.com" - OR destination.domain LIKE "*.cloudfront.net") - AND (process.code_signature.exists == "false" OR process.code_signature.trusted == "false") - AND NOT (process.executable LIKE "/opt/homebrew/*" OR process.executable LIKE "/Applications/Xcode*.app/*") -| STATS Esql.connection_count = COUNT(*), - Esql.process_executable_values = VALUES(process.executable), - Esql.code_signature_exists_values = VALUES(process.code_signature.exists), - Esql.code_signature_trusted_values = VALUES(process.code_signature.trusted) - BY user.name, host.name, destination.domain, process.entity_id -| WHERE Esql.connection_count >= 20 -| KEEP Esql.*, user.name, host.name, destination.domain, process.entity_id + OR destination.domain LIKE "*.s3*.amazonaws.com" + OR destination.domain LIKE "*.cloudfront.net") +| STATS Esql.connection_count = COUNT(*) + BY process.entity_id, process.executable, user.name, host.name, destination.domain +| WHERE Esql.connection_count >= 20 +| KEEP Esql.*, process.entity_id, process.executable, user.name, host.name, destination.domain ''' [[rule.threat]]