Files
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB

AWS Credential Exposure Detection API Reference

TruffleHog CLI

# Scan local git repo
trufflehog git file:///path/to/repo --json

# Scan GitHub organization
trufflehog github --org my-org --token $GITHUB_TOKEN --json

# Scan GitHub repo
trufflehog git https://github.com/org/repo.git --json

# Scan filesystem (non-git)
trufflehog filesystem /path/to/dir --json

# Scan S3 bucket
trufflehog s3 --bucket my-bucket --json

# Only show verified credentials
trufflehog git file:///repo --only-verified --json

git-secrets CLI

# Install hooks in repo
git secrets --install
git secrets --register-aws

# Scan repo history
git secrets --scan-history

# Scan specific file
git secrets --scan /path/to/file

# Add custom pattern
git secrets --add 'PRIVATE KEY'
git secrets --add-provider -- cat /path/to/patterns.txt

AWS IAM CLI - Key Management

# Check key last used
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXXXXXXXXXX

# List access keys for user
aws iam list-access-keys --user-name jsmith

# Deactivate exposed key
aws iam update-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
  --user-name jsmith --status Inactive

# Delete key
aws iam delete-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
  --user-name jsmith

# Create new key (after rotation)
aws iam create-access-key --user-name jsmith

AWS Access Key Regex Patterns

Access Key ID:  AKIA[A-Z0-9]{16}
Temp Key ID:    ASIA[A-Z0-9]{16}
Secret Key:     [A-Za-z0-9/+=]{40}

GuardDuty Credential Findings

Finding Type Description
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS Instance creds used outside AWS
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B Console login from unusual IP
Recon:IAMUser/MaliciousIPCaller.Custom API calls from threat intel IPs

AWS CloudTrail - Credential Abuse Queries (Athena)

SELECT eventtime, useridentity.accesskeyid, sourceipaddress, eventname
FROM cloudtrail_logs
WHERE useridentity.accesskeyid = 'AKIAXXXXXXXXXXXXXXXX'
ORDER BY eventtime DESC
LIMIT 100;