AWS Credentials File Grab for 2026-03-09
Mar 09, 2026
WebExploit
Last Updated: 12:12 UTC
Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.
MITRE ATT&CK
Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API
Observed URIs
/.aws/credentials/root/.aws/credentials/~/.aws/credentials
Attackers by Country
IP Address : ASN : City/Provider
-
185.177.72.51 : ASNone : Congleton
-
185.177.72.60 : ASNone : Congleton