LoFP / filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.

Techniques

• T1105

Sample rules

Linux Curl Upload File

• source: splunk
• technicques:
  • T1105

Description

The following analytic identifies curl being utilized with the -F or –form, –upload-file, -T, -d, –data, –data-raw, -I and –head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the ‘content’ part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data *","*--data-raw *", "*-I *", "*--head *") AND Processes.process IN ("*.aws/credentials*". "*.aws/config*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_curl_upload_file_filter`