From c4dd795cdf979bfe56e306c0d20624acb3717760 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 09:57:15 +0100 Subject: [PATCH 1/7] [New] Cloud Instance Metadata Credential Path HTTP Request Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment enabled so `process.*` fields are present. --- ...ss_cloud_imds_credential_http_request.toml | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 rules/network/credential_access_cloud_imds_credential_http_request.toml diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml new file mode 100644 index 00000000000..76bbbdd1129 --- /dev/null +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -0,0 +1,113 @@ +[metadata] +creation_date = "2026/05/23" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2026/05/23" + +[rule] +author = ["Elastic"] +description = """ +Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token +paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read +IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP +decoding on ports 80 and 443 and process enrichment enabled so `process.*` and `user_agent.original` fields are present. +""" +false_positives = [ + """ + Cloud agents (SSM, waagent, cloud-init, instance connect) and authorized scanners may reach the same paths during + provisioning or health checks. Exclude known agent user agents, source hosts, or parent processes after baselining. + """, +] +from = "now-9m" +index = ["logs-network_traffic.http*"] +language = "eql" +license = "Elastic License v2" +name = "Cloud Instance Metadata Credential Path HTTP Request" +note = """## Triage and analysis + +### Investigating Cloud Instance Metadata Credential Path HTTP Request + +This rule matches outbound HTTP GETs to `169.254.169.254` where the URL path requests IAM credentials or cloud OAuth +tokens, filtered to common scripting runtimes, suspicious executable paths, or tool-like user agents. + +### Investigation steps + +- Confirm `url.path` (AWS `security-credentials`, GCP `oauth2/access_token`, Azure `metadata/identity/oauth2/token`). +- Review `process.name`, `process.executable`, and `user_agent.original` — scripted tools and temp-path binaries are higher risk. +- Check `host.name` or `host.hostname` and whether the workload should run on a cloud VM with an instance profile or managed identity. +- Correlate with cloud audit or sign-in logs for role assumption or token use shortly after the request. +- If credentials may have been exposed, rotate the instance role or managed identity and review API activity from that principal. + +### False positives + +- Platform agents and bootstrap scripts on new instances; allowlist by user agent or host group where validated. + +### Response + +- Restrict IMDS access (IMDSv2 hop limit, network policy) and remove unnecessary instance permissions. +- Investigate the host for follow-on credential use or lateral movement. + +## Setup + +Deploy the [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic) integration via Fleet on cloud workloads. + +- Enable **Capture HTTP Traffic** and include ports **80** and **443**. +- Enable **Monitor Processes** so network events include the process that initiated the connection. +- Prefer ECS field remapping (`map_to_ecs`) on integration data streams. +""" +references = [ + "https://www.elastic.co/docs/reference/integrations/network_traffic", + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", + "https://attack.mitre.org/techniques/T1552/005/", +] +risk_score = 47 +rule_id = "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: Network", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and +http.request.method == "GET" and url.path : ( + "/latest/meta-data/iam/security-credentials/*", + "*computeMetadata/v1/instance/service-accounts/?*/oauth2/access_token*", + "*metadata/identity/oauth2/token*" +) and ( + ?process.name : ( + "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "powershell*", "cmd.exe", "java*", + "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi" + ) or ?process.executable : ( + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/boot/*" + ) or user_agent.original : ( + "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*", + "Apache-HttpClient*", "okhttp*", "RestTemplate*" + ) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" From d6a0d323492ae8441c757ffdd187792b04ce2403 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 10:01:01 +0100 Subject: [PATCH 2/7] Update credential_access_cloud_imds_credential_http_request.toml --- .../credential_access_cloud_imds_credential_http_request.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index 76bbbdd1129..1c64e259c17 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -10,7 +10,7 @@ description = """ Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP -decoding on ports 80 and 443 and process enrichment enabled so `process.*` and `user_agent.original` fields are present. +decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present. """ false_positives = [ """ From 748e30e83f3045826a3d1d82c8f6ae0b61893ba7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 10:09:21 +0100 Subject: [PATCH 3/7] Update credential_access_cloud_imds_credential_http_request.toml --- ...credential_access_cloud_imds_credential_http_request.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index 1c64e259c17..04f2716efc5 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -82,8 +82,9 @@ http.request.method == "GET" and url.path : ( "*metadata/identity/oauth2/token*" ) and ( ?process.name : ( - "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "powershell*", "cmd.exe", "java*", - "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi" + "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "bash", "dash", "dash", "busybox", + "powershell.exe", "cmd.exe", "java*", "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", + "spring*", "dotnet", "gunicorn", "uwsgi" ) or ?process.executable : ( "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/boot/*" ) or user_agent.original : ( From 75fbf00fcc5c3927f8d31a30536eead2fe81acb3 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 10:12:37 +0100 Subject: [PATCH 4/7] Update credential_access_cloud_imds_credential_http_request.toml --- ...redential_access_cloud_imds_credential_http_request.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index 04f2716efc5..9f81c76a6c5 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -83,10 +83,10 @@ http.request.method == "GET" and url.path : ( ) and ( ?process.name : ( "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "bash", "dash", "dash", "busybox", - "powershell.exe", "cmd.exe", "java*", "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", - "spring*", "dotnet", "gunicorn", "uwsgi" + "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "java*", "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", + "spring*", "dotnet", "gunicorn", "uwsgi", ".*" ) or ?process.executable : ( - "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/boot/*" + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*" ) or user_agent.original : ( "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*", "Apache-HttpClient*", "okhttp*", "RestTemplate*" From 931b6fc9a7849ff6de0c3a6cf7f79e537b77a19f Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 10:22:14 +0100 Subject: [PATCH 5/7] Update credential_access_cloud_imds_credential_http_request.toml --- .../credential_access_cloud_imds_credential_http_request.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index 9f81c76a6c5..c6f59693d3d 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-network_traffic.http*"] +index = ["logs-network_traffic.http*", "packetbeat-*"] language = "eql" license = "Elastic License v2" name = "Cloud Instance Metadata Credential Path HTTP Request" @@ -86,7 +86,7 @@ http.request.method == "GET" and url.path : ( "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "java*", "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", ".*" ) or ?process.executable : ( - "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*" + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*" ) or user_agent.original : ( "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*", "Apache-HttpClient*", "okhttp*", "RestTemplate*" From a22574f2e9b05af2186e4cb7b1c73de6c193f3cd Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 11:02:26 +0100 Subject: [PATCH 6/7] Update credential_access_cloud_imds_credential_http_request.toml --- ...al_access_cloud_imds_credential_http_request.toml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index c6f59693d3d..fcf044614b5 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -66,6 +66,9 @@ severity = "medium" tags = [ "Domain: Cloud", "Domain: Network", + "OS: Linux", + "OS: Windows", + "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Network Packet Capture", @@ -82,14 +85,15 @@ http.request.method == "GET" and url.path : ( "*metadata/identity/oauth2/token*" ) and ( ?process.name : ( - "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "bash", "dash", "dash", "busybox", - "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "java*", "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", - "spring*", "dotnet", "gunicorn", "uwsgi", ".*" + "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "sh", "bash", "dash", "dash", "zsh", "busybox", + "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*", + "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", + ".*", "osascript" ) or ?process.executable : ( "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*" ) or user_agent.original : ( "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*", - "Apache-HttpClient*", "okhttp*", "RestTemplate*" + "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*" ) ) ''' From 25e36ac5c2398e5490a54878ddfb35a726535533 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 23 May 2026 11:06:03 +0100 Subject: [PATCH 7/7] Update credential_access_cloud_imds_credential_http_request.toml --- .../credential_access_cloud_imds_credential_http_request.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/network/credential_access_cloud_imds_credential_http_request.toml b/rules/network/credential_access_cloud_imds_credential_http_request.toml index fcf044614b5..116cfd1d184 100644 --- a/rules/network/credential_access_cloud_imds_credential_http_request.toml +++ b/rules/network/credential_access_cloud_imds_credential_http_request.toml @@ -57,8 +57,7 @@ Deploy the [Network Packet Capture](https://www.elastic.co/docs/reference/integr """ references = [ "https://www.elastic.co/docs/reference/integrations/network_traffic", - "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", - "https://attack.mitre.org/techniques/T1552/005/", + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/" ] risk_score = 47 rule_id = "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98"