From bc407b211a1a90ac3a6e0f7a2374cc564a8598af Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Fri, 22 May 2026 11:24:16 +0200 Subject: [PATCH 1/4] [New/Tuning] Suspicious Instance Metadata Service (IMDS) API Activity --- ...ous_instance_metadata_service_api_cli.toml | 114 +++++++++ ...instance_metadata_service_api_request.toml | 122 ++++++++++ ...instance_metadata_service_api_request.toml | 222 ------------------ 3 files changed, 236 insertions(+), 222 deletions(-) create mode 100644 rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml create mode 100644 rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml delete mode 100644 rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml new file mode 100644 index 00000000000..ceff8f4c6a1 --- /dev/null +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml @@ -0,0 +1,114 @@ +[metadata] +creation_date = "2024/08/22" +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] +maturity = "production" +updated_date = "2026/05/22" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies various tools/scripts performing command line execution attempting to access the cloud service +provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific +information such as instance ID, public IP address, and even temporary security credentials if roles are assumed by +that instance. +""" +from = "now-9m" +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Instance Metadata Service (IMDS) API Command Line Execution" +references = [ + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", + "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", +] +risk_score = 47 +rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Endpoint", + "Domain: Cloud", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender XDR", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", +] +type = "eql" +query = ''' +process where host.os.type in ("linux", "macos", "windows") and event.type == "start" and +event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and +( + process.name in~ ( + "curl", "curl.exe", "wget", "wget.exe", "bash", "dash", "sh", "tcsh", "tclsh", "wish", + "csh", "zsh", "ksh", "fish", "mksh", "busybox" + ) or + process.name like~ (".*", "python*", "perl*", "ruby*", "php*", "lua*", "java*") or + process.executable like~ ("/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/dev/shm/*", "/var/www/*", "./*") +) and +process.args like~ ( + "*/latest/meta-data/iam/security-credentials/?*", + "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*", + "*/metadata/identity/oauth2/token*resource=*" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml new file mode 100644 index 00000000000..f350b5339b4 --- /dev/null +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml @@ -0,0 +1,122 @@ +[metadata] +creation_date = "2026/05/22" +integration = ["endpoint"] +maturity = "production" +updated_date = "2026/05/22" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies various tools/scripts performing network activities attempting to access the cloud service provider's +instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such +as instance ID, public IP address, and even temporary security credentials if roles are assumed by that instance. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious Instance Metadata Service (IMDS) API Request" +references = [ + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", + "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", +] +risk_score = 47 +rule_id = "ad02da2f-443d-454c-a12e-d9e6c65831ff" +severity = "medium" +tags = [ + "Domain: Endpoint", + "Domain: Cloud", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] +type = "new_terms" +query = ''' +event.category:"network" and host.os.type:("windows" or "macos" or "linux") and +event.action:"connection_attempted" and destination.ip:"169.254.169.254" and destination.port:"80" and ( + process.name:( + "bash" or "dash" or "sh" or "tcsh" or "tclsh" or "wish" or "csh" or "zsh" or "ksh" or "fish" or + "mksh" or "busybox" or "ld.so" or "ld-linux-x86-64.so.2" or "bun" or "bun.exe" or "node" or "node.exe" or + "nodejs" or "deno" or "deno.exe" or "java" or "java.exe" or "env" or "timeout" or "setsid" or "flock" or + "curl" or "curl.exe" or "wget" or "wget.exe" or "powershell.exe" or "cmd.exe" or "pwsh.exe" or + "wscript.exe" or "cscript.exe" or "regsvr32.exe" or "mshta.exe" or "rundll32.exe" or "vbc.exe" or + "msbuild.exe" or "wmic.exe" or "cmstp.exe" or "RegAsm.exe" or "installutil.exe" or "RegSvcs.exe" or + "msxsl.exe" or "xwizard.exe" or "csc.exe" or "pwsh" or python* or perl* or ruby* or lua* or php* or + "terminal" or "osascript" or "nohup" or .* or "javaw" or "javaw.exe" + ) or + process.executable:( + ./* or /boot/* or /dev/shm/* or /run/* or /var/run/* or /tmp/* or /var/tmp/* or /var/www/* or + /home/*/* or /root/* or /private/var/tmp/* or /var/folders/* or /Users/Shared/* or /var/root/* + ) +) and +not ( + ( + host.os.type:"macos" and + process.name:"node" + ) or + ( + process.name:"Cursor Helper (Plugin)" and + process.code_signature.exists:"true" and + process.code_signature.signing_id:"com.github.Electron.helper" + ) or + ( + process.name:"Code Helper (Plugin)" and + process.code_signature.exists:"true" and + process.code_signature.signing_id:("com.microsoft.VSCode.helper" or "com.github.Electron.helper") + ) or + process.executable:/vscode/vscode-server/bin/linux-x64/*/node +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml deleted file mode 100644 index effcb209566..00000000000 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ /dev/null @@ -1,222 +0,0 @@ -[metadata] -creation_date = "2024/08/22" -integration = ["endpoint"] -maturity = "production" -updated_date = "2026/03/24" - -[rule] -author = ["Elastic"] -description = """ -This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata -service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, -public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for -various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API. -""" -from = "now-9m" -index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] -language = "eql" -license = "Elastic License v2" -name = "Unusual Instance Metadata Service (IMDS) API Request" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Instance Metadata Service (IMDS) API Request - -The Instance Metadata Service (IMDS) API provides essential instance-specific data, including configuration details and temporary credentials, to applications running on cloud instances. Adversaries exploit this by using scripts or tools to access sensitive data, potentially leading to unauthorized access. The detection rule identifies suspicious access attempts by monitoring specific processes and network activities, excluding known legitimate paths, to flag potential misuse. - -### Possible investigation steps - -- Review the process details such as process.name and process.command_line to identify the tool or script used to access the IMDS API and determine if it aligns with known malicious behavior. -- Examine the process.executable and process.working_directory fields to verify if the execution path is unusual or suspicious, especially if it originates from directories like /tmp/* or /var/tmp/*. -- Check the process.parent.entity_id and process.parent.executable to understand the parent process and its legitimacy, which might provide context on how the suspicious process was initiated. -- Investigate the network event details, particularly the destination.ip field, to confirm if there was an attempted connection to the IMDS API endpoint at 169.254.169.254. -- Correlate the host.id with other security events or logs to identify any additional suspicious activities or patterns on the same host that might indicate a broader compromise. -- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats. - -### False positive analysis - -- Security and monitoring tools like Rapid7, Nessus, and Amazon SSM Agent may trigger false positives due to their legitimate access to the IMDS API. Users can exclude these by adding their working directories to the exception list. -- Automated scripts or processes running from known directories such as /opt/rumble/bin or /usr/share/ec2-instance-connect may also cause false positives. Exclude these directories or specific executables from the rule to prevent unnecessary alerts. -- System maintenance or configuration scripts that access the IMDS API for legitimate purposes might be flagged. Identify these scripts and add their paths or parent executables to the exclusion list to reduce noise. -- Regular network monitoring tools that attempt connections to the IMDS IP address for health checks or status updates can be excluded by specifying their process names or executable paths in the exception criteria. - -### Response and remediation - -- Immediately isolate the affected instance from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified in the alert that are attempting to access the IMDS API, especially those using tools like curl, wget, or python. -- Revoke any temporary credentials that may have been exposed or accessed through the IMDS API to prevent unauthorized use. -- Conduct a thorough review of the instance's security groups and IAM roles to ensure that only necessary permissions are granted and that there are no overly permissive policies. -- Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected. -- Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations. -- Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks.""" -references = [ - "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", - "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", -] -risk_score = 47 -rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce" -severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Cloud", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.parent.entity_id with maxspan=3s -[ - process - where host.os.type == "linux" - and event.type == "start" - and event.action == "exec" - and process.parent.executable != null - - // common tooling / suspicious names (keep broad) - and ( - process.name : ( - "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", - "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node", - "bash", "sh" - ) - or - // suspicious execution locations (dropped binaries / temp execution) - process.executable : ( - "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", - "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" - ) - or - // threat-relevant IMDS / metadata endpoints (inclusion list) - process.command_line : ( - "*169.254.169.254/latest/api/token*", - "*169.254.169.254/latest/meta-data/iam/security-credentials*", - "*169.254.169.254/latest/meta-data/local-ipv4*", - "*169.254.169.254/latest/meta-data/local-hostname*", - "*169.254.169.254/latest/meta-data/public-ipv4*", - "*169.254.169.254/latest/user-data*", - "*169.254.169.254/latest/dynamic/instance-identity/document*", - "*169.254.169.254/latest/meta-data/instance-id*", - "*169.254.169.254/latest/meta-data/public-keys*", - "*computeMetadata/v1/instance/service-accounts/*/token*", - "*/metadata/identity/oauth2/token*", - "*169.254.169.254/opc/v*/instance*", - "*169.254.169.254/opc/v*/vnics*" - ) - ) - - // global working-dir / executable / parent exclusions for known benign agents - and not process.working_directory : ( - "/opt/rapid7*", - "/opt/nessus*", - "/snap/amazon-ssm-agent*", - "/var/snap/amazon-ssm-agent/*", - "/var/log/amazon/ssm/*", - "/srv/snp/docker/overlay2*", - "/opt/nessus_agent/var/nessus/*" - ) - - and not process.executable : ( - "/opt/rumble/bin/rumble-agent*", - "/opt/aws/inspector/bin/inspectorssmplugin", - "/snap/oracle-cloud-agent/*", - "/lusr/libexec/oracle-cloud-agent/*" - ) - - and not process.parent.executable : ( - "/usr/bin/setup-policy-routes", - "/usr/share/ec2-instance-connect/*", - "/var/lib/amazon/ssm/*", - "/etc/update-motd.d/30-banner", - "/usr/sbin/dhclient-script", - "/usr/local/bin/uwsgi", - "/usr/lib/skylight/al-extras", - "/usr/bin/cloud-init", - "/usr/sbin/waagent", - "/usr/bin/google_osconfig_agent", - "/usr/bin/docker", - "/usr/bin/containerd-shim", - "/usr/bin/runc" - ) - - and not process.entry_leader.executable : ( - "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent", - "/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent", - "/opt/nessus_agent/sbin/nessus-service" - ) - - // carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns) - and not ( - process.executable == "/usr/bin/curl" - and ( - // AWS IMDSv2 token PUT that includes ttl header - (process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*") - or - // Any IMDSv2 GET that includes token header for any /latest/* path - process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*" - or - // Common amazon tooling UA - process.command_line : "*-A amazon-ec2-net-utils/*" - or - // Azure metadata legitimate header - process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*" - or - // Oracle IMDS legitimate header - process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*" - ) - ) -] -[ - network where host.os.type == "linux" - and event.action == "connection_attempted" - and destination.ip == "169.254.169.254" -] -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" From 459646305a677db179aa7234a9cfa2eb3cdf9423 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Fri, 22 May 2026 11:33:40 +0200 Subject: [PATCH 2/4] signature trusted usage --- ...cess_suspicious_instance_metadata_service_api_request.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml index f350b5339b4..8b4823861a0 100644 --- a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml @@ -60,12 +60,12 @@ not ( ) or ( process.name:"Cursor Helper (Plugin)" and - process.code_signature.exists:"true" and + process.code_signature.trusted:true and process.code_signature.signing_id:"com.github.Electron.helper" ) or ( process.name:"Code Helper (Plugin)" and - process.code_signature.exists:"true" and + process.code_signature.trusted:true and process.code_signature.signing_id:("com.microsoft.VSCode.helper" or "com.github.Electron.helper") ) or process.executable:/vscode/vscode-server/bin/linux-x64/*/node From 722e8583c0ad42634609370c503be57cd50d6e35 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Fri, 22 May 2026 11:42:07 +0200 Subject: [PATCH 3/4] Add IGs + timestamp override --- ...ous_instance_metadata_service_api_cli.toml | 33 +++++++++++++++++++ ...instance_metadata_service_api_request.toml | 33 +++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml index ceff8f4c6a1..43574ea353a 100644 --- a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_cli.toml @@ -29,6 +29,37 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Instance Metadata Service (IMDS) API Command Line Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Instance Metadata Service (IMDS) API Command Line Execution + +This rule detects command-line tools, shells, or scripts attempting to query a cloud instance metadata endpoint from a host, which matters because that service can reveal instance details and temporary credentials attached to the workload. A common attacker pattern is gaining code execution on a cloud VM and using curl against the local metadata address to pull IAM role credentials or managed identity tokens, then reusing them to access cloud resources without passwords. + +### Possible investigation steps + +- Review the full execution chain and any referenced script or binary contents to determine whether the metadata request came from approved bootstrap or agent activity versus an interactive shell, web application process, scheduled job, or recently dropped file. +- Identify the initiating account, session context, and trigger for the execution to separate expected automation from hands-on-keyboard behavior, especially if it followed a remote login, privilege escalation, or exploitation event. +- Correlate the host and timeframe with cloud control-plane telemetry to confirm whether instance role credentials or managed identity tokens were later used against storage, secrets, IAM, subscription, or other sensitive APIs. +- Examine nearby endpoint activity for follow-on collection and staging behavior such as writing token output to disk, exporting environment data, invoking cloud CLIs or SDKs, compressing files, or making outbound connections to unfamiliar destinations. +- Validate with the asset owner whether the workload legitimately requires IMDS access, and if the activity is unexplained, contain the host and rotate any exposed instance profile or managed identity credentials. + +### False positive analysis + +- A VM bootstrap, login, or scheduled maintenance script may use curl, wget, or a shell to query IMDS for role credentials or identity tokens needed by the workload; verify the parent process, script path, and change timing with the asset owner to confirm it matches approved initialization or routine automation. +- An administrator or developer may manually test instance identity or application authentication from the command line during troubleshooting or deployment; verify the initiating user, interactive session context, and related change records to confirm the host and command were part of authorized maintenance. + +### Response and remediation + +- Isolate the affected host or cloud instance from the network, preserve volatile evidence per your IR process, and immediately revoke or rotate any instance profile credentials, managed identity tokens, or application secrets that could have been exposed by access to the metadata service. +- Remove the attacker foothold by deleting the script or binary that queried `169.254.169.254`, `metadata.google.internal`, or the Azure identity token path, and eradicate related persistence such as scheduled tasks, cron entries, systemd services, startup items, Run keys, or web shells that launched it. +- Terminate any active shell, interpreter, or cloud CLI sessions tied to the intrusion and review cloud activity for the retrieved credentials being used against storage, secrets, IAM, subscriptions, or other sensitive services, disabling the affected role or identity if abuse is confirmed. +- Restore the workload to a known-good state by rebuilding or reimaging from a trusted template, redeploying only validated application code and configuration, and do not return the original system to production unless its integrity has been fully verified. +- Escalate to incident response immediately if the metadata query returned temporary credentials or OAuth tokens, if those credentials were used from another host or geography, or if multiple systems show similar command-line access to the metadata service. +- Harden the environment by requiring IMDSv2 or equivalent protections, limiting which users, services, or containers can reach the metadata endpoint, reducing attached role permissions to least privilege, and adding detections for future `curl`, `wget`, shell, or script access to instance metadata paths. +""" references = [ "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", @@ -52,7 +83,9 @@ tags = [ "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", + "Resources: Investigation Guide", ] +timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type in ("linux", "macos", "windows") and event.type == "start" and diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml index 8b4823861a0..2355b67d2c9 100644 --- a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml @@ -16,6 +16,37 @@ index = ["logs-endpoint.events.network-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Instance Metadata Service (IMDS) API Request" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Instance Metadata Service (IMDS) API Request + +This alert flags command interpreters, scripting engines, or unusual binaries on a host trying to contact the local instance metadata service, a high-value source of instance details and temporary cloud credentials. A common attacker pattern is gaining code execution on a Linux or Windows VM, then using curl, PowerShell, or a script dropped in a temporary directory to query 169.254.169.254 and harvest the attached role credentials for follow-on cloud access. + +### Possible investigation steps + +- Review the full execution chain and any referenced script or binary contents to determine whether the metadata request came from approved bootstrap or agent activity versus an interactive shell, web application process, scheduled job, or recently dropped file. +- Identify the initiating account, session context, and trigger for the execution to separate expected automation from hands-on-keyboard behavior, especially if it followed a remote login, privilege escalation, or exploitation event. +- Correlate the host and timeframe with cloud control-plane telemetry to confirm whether instance role credentials or managed identity tokens were later used against storage, secrets, IAM, subscription, or other sensitive APIs. +- Examine nearby endpoint activity for follow-on collection and staging behavior such as writing token output to disk, exporting environment data, invoking cloud CLIs or SDKs, compressing files, or making outbound connections to unfamiliar destinations. +- Validate with the asset owner whether the workload legitimately requires IMDS access, and if the activity is unexplained, contain the host and rotate any exposed instance profile or managed identity credentials. + +### False positive analysis + +- A legitimate bootstrap, login, or scheduled administration script may use curl, PowerShell, or Python to query 169.254.169.254 for instance ID, public IP, or temporary role credentials during normal configuration, so verify the command line, parent process, and execution timing match expected startup or maintenance activity from an approved path. +- An approved in-house application or service may call IMDS through a shell or runtime such as java, node, or python to obtain instance-specific settings or cloud authentication at runtime, so confirm the binary or script is expected on that host and that the requests align with normal service startup behavior rather than a new interactive session or a temporary-directory executable. + +### Response and remediation + +- Isolate the affected instance or host from the network or move it to a containment security group, terminate active remote sessions, and preserve volatile evidence such as the running process tree, shell history, temporary scripts, and recent command output tied to the 169.254.169.254 request. +- Revoke or rotate any cloud role credentials, API keys, tokens, and application secrets that may have been exposed through IMDS, and detach or replace the instance profile or managed identity if it granted access beyond the workload’s normal needs. +- Remove the attacker’s foothold by deleting the script or binary that queried IMDS and eradicating associated persistence such as cron jobs, systemd services, rc.local changes, scheduled tasks, Run keys, WMI event subscriptions, launch agents, or modified shell startup files. +- Restore the system from a known-good image or snapshot when integrity is in doubt, validate that no unauthorized users, SSH keys, services, or startup items remain, and reset credentials for any local, domain, or service accounts used on the host. +- Escalate to incident response and cloud security immediately if IMDS returned temporary role credentials, if that role was used from unfamiliar IP addresses or regions, or if similar metadata queries are observed on multiple hosts, and expand scoping to all resources reachable by the compromised role. +- Harden the environment by enforcing IMDSv2 or the cloud provider’s strongest metadata protections, disabling metadata access where unnecessary, blocking local access to 169.254.169.254 for unapproved processes, reducing instance-role privileges, and preventing script execution from temporary or user-writable directories. +""" references = [ "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", @@ -33,7 +64,9 @@ tags = [ "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] +timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:"network" and host.os.type:("windows" or "macos" or "linux") and From 82f178897392c9a730c3fbcf12ccb79d91d47b76 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 22 May 2026 12:14:54 +0200 Subject: [PATCH 4/4] Update rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...access_suspicious_instance_metadata_service_api_request.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml index 2355b67d2c9..e5b72c5f5ee 100644 --- a/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml +++ b/rules/cross-platform/credential_access_suspicious_instance_metadata_service_api_request.toml @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:"network" and host.os.type:("windows" or "macos" or "linux") and -event.action:"connection_attempted" and destination.ip:"169.254.169.254" and destination.port:"80" and ( + (destination.ip:"169.254.169.254" or destination.address :"169.254.169.254") and destination.port:"80" and ( process.name:( "bash" or "dash" or "sh" or "tcsh" or "tclsh" or "wish" or "csh" or "zsh" or "ksh" or "fish" or "mksh" or "busybox" or "ld.so" or "ld-linux-x86-64.so.2" or "bun" or "bun.exe" or "node" or "node.exe" or