Skip to content
Threat Feed
high advisory

Potential Credential Discovery via Recursive Grep

Adversaries may use recursive grep commands on Linux or macOS to discover credentials, secrets, keys, or tokens within files, indicating potential credential access and data exfiltration attempts.

This detection identifies potential credential access attempts via recursive grep commands on Linux and macOS systems. Attackers and insider threats might employ grep -r (or --recursive, -R) to search directories for sensitive information such as passwords, API keys, private keys, cloud tokens, or repository and environment files. The rule aggregates events per host, user, and parent process within a one-minute window, triggering only when at least three distinct grep command lines match, thereby reducing false positives from occasional searches. This activity is a strong indicator of potential reconnaissance before credential theft or broader system compromise. The rule targets Linux and macOS systems and relies on process execution data.

Attack Chain

  1. An attacker gains initial access to a Linux or macOS system, possibly via SSH or other remote access methods.
  2. The attacker executes grep or egrep with recursive options (-r, --recursive, or -R) to search within directories.
  3. The grep command includes patterns related to sensitive information, such as "password," "secret," "token," "api_key," ".env," ".git," or ".aws."
  4. The system processes multiple distinct grep commands within a short timeframe (one minute), all originating from the same host, user, and parent process.
  5. The attacker identifies files containing sensitive information based on the grep output.
  6. The attacker exfiltrates the discovered credentials or secrets for lateral movement or external use.
  7. The attacker may use the compromised credentials to access sensitive data or systems.
  8. The attacker achieves their objective, such as data theft or unauthorized access to critical resources.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, including passwords, API keys, and other confidential information. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the permissions associated with the compromised credentials and the sensitivity of the data exposed. Observed activity can indicate targeted attacks with a high probability of resulting in data exfiltration or system compromise.

Recommendation

  • Enable process monitoring with command-line argument logging on Linux and macOS systems to capture the necessary data for the rules below (logsource: process_creation).
  • Deploy the provided Sigma rules to detect suspicious recursive grep commands indicative of credential discovery (rules).
  • Investigate any alerts generated by the Sigma rules, focusing on the specific command-line arguments and parent processes involved. Review the "Possible investigation steps" in the original rule documentation (references).
  • Implement stricter file access controls to limit the exposure of sensitive files (references).

Detection coverage 2

Detect Recursive Grep for Credentials

high

Detects recursive grep commands used to search for credentials and sensitive information on Linux and macOS systems.

sigma tactics: credential_access, discovery techniques: T1083, T1552.001 sources: process_creation, linux

Detect Egrep Recursive for Credentials

high

Detects recursive egrep commands used to search for credentials and sensitive information on Linux and macOS systems.

sigma tactics: credential_access, discovery techniques: T1083, T1552.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →