filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.

Techniques

T1105

Sample rules

Linux Curl Upload File

source: splunk
technicques:
- T1105

Description

The following analytic detects the use of the curl command with specific switches (-F, –form, –upload-file, -T, -d, –data, –data-raw, -I, –head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data *","*--data-raw *", "*-I *", "*--head *")
    AND
    Processes.process IN ("*.aws/credentials*". "*.aws/config*")
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `linux_curl_upload_file_filter`