Skip to content

Hide Navigation Hide TOC

Credential Exfiltration via Shell Pipe - ATR-2026-00201 (88f78805-c5d0-5c7f-bbe9-d49730db4683)

Detects credential theft patterns where environment variables containing API keys, secrets, or tokens are piped to external commands (curl, nc, etc.) or echoed for capture. Also detects explicit references to provider-specific API key variable names (ANTHROPIC_, OPENAI_, AWS_*, etc.) which may indicate reconnaissance or targeting. Derived from real-world Claude Code skill scanning.

Cluster A Galaxy A Cluster B Galaxy B Level
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Credential Exfiltration via Shell Pipe - ATR-2026-00201 (88f78805-c5d0-5c7f-bbe9-d49730db4683) Agent Threat Rules 1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Credential Exfiltration via Shell Pipe - ATR-2026-00201 (88f78805-c5d0-5c7f-bbe9-d49730db4683) Agent Threat Rules 1
Indirect (a4a55526-2f1f-403b-9691-609e46381e17) MITRE ATLAS Attack Pattern Credential Exfiltration via Shell Pipe - ATR-2026-00201 (88f78805-c5d0-5c7f-bbe9-d49730db4683) Agent Threat Rules 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
LLM Prompt Injection (19cd2d12-66ff-487c-a05c-e058b027efc9) MITRE ATLAS Attack Pattern Indirect (a4a55526-2f1f-403b-9691-609e46381e17) MITRE ATLAS Attack Pattern 2