Common Information
| Type | Value |
|---|---|
| Value |
rule P0_Hunting_AWS_SedEnvVarExtraction_1 {
meta:
description = " Detecting presence of scripts using native sed (Stream Editor) utility extracting numerous environment variables containing sensitive AWS credential information "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " 3e2cddf76334529a14076c3659a68d92 "
md5_02 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_03 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_04 = " 28165d28693ca807fb3d4568624c5ba9 "
md5_05 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_06 = " f7df739f865448ac82da01b3b1a97041 "
md5_07 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_08 = " 99f0102d673423c920af1abc22f66d4e "
md5_09 = " 99f0102d673423c920af1abc22f66d4e "
md5_10 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$grepPropAWS = " | grep 'AccessKeyId\\|SecretAccessKey\\|Token\\|Expiration' | "
$awsCliConfigureCmd = " aws configure set aws_ "
$sedPropAWS_01 = " sed 's# \"AccessKeyId\" : \"#\\n\\naws configure set aws_access_key_id #g' "
$sedPropAWS_02 = " sed 's# \"SecretAccessKey\" : \"#aws configure set aws_secret_access_key #g' "
$sedPropAWS_03 = " sed 's# \"Token\" : \"#aws configure set aws_session_token #g' "
$sedPropAWS_04 = " sed 's# \"Expiration\" : \"#\\n\\nExpiration : #g' "
condition:
all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |