Cloud Provider Credential Dumping via Environment Variable Grep

Rule Info

Name
Cloud Provider Credential Dumping via Environment Variable Grep
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to discover cloud provider credentials stored in environment variables by using 'grep' with cloud provider-specific patterns (AWS, Google Cloud, GCloud, Azure). Attackers commonly enumerate environment variables after gaining initial access to identify or steal credentials for further exploitation, such as lateral movement or data exfiltration.
Reference
https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package
Date
2026-05-28 00:00:00
Modified
None
Id
a8f3d52b-4c1e-4d92-b81d-e6f2b09c3d47
Tags
attack.credential-access attack.t1552 attack.t1552.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022