Update rules/linux/credential_access_aws_creds_search_inside_container.toml

Aegrah · web-flow · commit b841d1fd4bb9 · 2025-12-18T13:55:44.000+01:00
diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml
@@ -59,7 +59,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.entry_leader.entry_meta.type == "container" and
-process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed") and
+process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed", "awk") and
 process.command_line like~ (
   "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
   "*access_key*", "*.aws/credentials*"
