AWS Credentials File Grab for 2022-12-24

Dec 24, 2022 WebExploit

Last Updated: 12:00 UTC

Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API

Observed URIs

/.aws/credentials

Attackers by Country

IP Address : ASN : City/Provider

141.255.167.186 : AS51852 private layer inc : Zurich
81.17.22.106 : AS51852 private layer inc : Zurich

Share on: