access AWS credentials

rule:
  meta:
    name: access AWS credentials
    namespace: collection/cloud/aws
    authors:
      - maximemorin@google.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
    references:
      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
  features:
    - or:
      - string: ".aws/config"
      - string: ".aws/credentials"
      - string: ".aws/credentials.gpg"
      - string: ".boto"
      - string: ".s3backer_passwd"
      - string: ".passwd-s3fs"
      - string: "/etc/passwd-s3fs"
      - string: ".s3cfg"
      - string: "s3proxy.conf"
      - string: ".s3ql/authinfo2"