Kubernetes Pod Exec Cloud Instance Metadata Access

  1[metadata]
  2creation_date = "2026/04/23"
  3integration = ["kubernetes"]
  4maturity = "production"
  5updated_date = "2026/04/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Kubernetes pod exec sessions whose decoded command line references cloud instance metadata endpoints or
 11equivalent hostnames and paths. Workloads that reach the link-local metadata IP, AWS IMDS paths, GCP computeMetadata,
 12Azure IMDS token routes, or encoded variants are often attempting to harvest role credentials, tokens, or instance
 13attributes from the underlying node or hypervisor boundary. That behavior is high risk in multi-tenant and regulated
 14environments because it can expose short-lived cloud credentials to code running inside a container. The rule
 15classifies a coarse cloud target label and whether the string looks like credential retrieval versus lighter
 16reconnaissance.
 17"""
 18from = "now-6m"
 19interval = "5m"
 20language = "esql"
 21license = "Elastic License v2"
 22name = "Kubernetes Pod Exec Cloud Instance Metadata Access"
 23note = """## Triage and analysis
 24
 25### Investigating Kubernetes Pod Exec Cloud Instance Metadata Access
 26
 27This alert fires when an audited exec requestURI, after URL decoding and command reconstruction, matches patterns
 28associated with instance metadata services across AWS, GCP, and Azure. Use it to catch interactive or scripted access
 29from inside a pod to metadata surfaces that should usually be blocked by network policy or not needed by application
 30code.
 31
 32### Possible investigation steps
 33
 34- Confirm the Kubernetes identity that performed exec: user name, groups, impersonation, source IP, and user agent.
 35- Map the pod and namespace to a workload owner, image digest, and entrypoint; determine whether the container should
 36  ever call metadata endpoints.
 37- Inspect Esql.cloud_target and Esql.is_credential_theft in the alert document and expand the timeline for the same
 38  identity for secret reads, IAM changes, or data egress.
 39- Correlate with cloud audit logs on the node identity or instance profile for STS or token issuance around the event
 40  time.
 41
 42### False positive analysis
 43
 44- Break-glass debugging from platform engineers may include curl to 169.254.169.254; validate change tickets and
 45  bastion use.
 46- Misconfigured agents or bootstrap scripts in bespoke images can touch metadata during startup; baseline approved
 47  images and tune exclusions narrowly.
 48
 49### Response and remediation
 50
 51- If unauthorized, terminate the session, isolate the workload, revoke or rotate instance and workload credentials that
 52  could have been read, and tighten RBAC on pods exec plus network policies that deny link-local metadata from pods.
 53"""
 54references = [
 55    "https://attack.mitre.org/techniques/T1552/005/",
 56    "https://hardenedsecurity.io/blog/aws-imds-vulnerabilities-and-mitigations/",
 57]
 58risk_score = 73
 59rule_id = "a8e7d6c5-b4a3-2918-0f9e-8d7c6b5a4032"
 60severity = "high"
 61tags = [
 62    "Data Source: Kubernetes",
 63    "Domain: Kubernetes",
 64    "Domain: Cloud",
 65    "Use Case: Threat Detection",
 66    "Tactic: Credential Access",
 67    "Tactic: Execution",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "esql"
 72query = '''
 73FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
 74| WHERE kubernetes.audit.objectRef.subresource == "exec"
 75  AND kubernetes.audit.requestURI LIKE "*command=*"
 76| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
 77| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
 78| EVAL command = REPLACE(raw_commands, "command=", "")
 79| EVAL command = REPLACE(command, "&", " ")
 80| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
 81| WHERE Esql.executed_command IS NOT NULL 
 82  AND Esql.executed_command RLIKE """.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/api/token|/latest/meta-data|/latest/user-data|/latest/dynamic/instance-identity|computeMetadata/v1|metadata\.google\.internal|metadata/identity/oauth2/token|metadata/instance).*"""
 83| EVAL Esql.cloud_target = CASE(
 84    Esql.executed_command RLIKE """.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/meta-data|/latest/api/token|/latest/user-data|/latest/dynamic).*""", "AWS_IMDS",
 85    Esql.executed_command RLIKE """.*(computeMetadata/v1|metadata\.google\.internal).*""", "GCP_METADATA",
 86    Esql.executed_command RLIKE """.*metadata/identity/oauth2/token.*""", "AZURE_IMDS",
 87    "UNKNOWN"
 88  )
 89| EVAL Esql.is_credential_theft = CASE(
 90    Esql.executed_command RLIKE """.*(security-credentials|/api/token|oauth2/token|service-accounts/.*/token).*""", "yes",
 91    "recon"
 92  )
 93| KEEP *
 94'''
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98
 99[[rule.threat.technique]]
100id = "T1552"
101name = "Unsecured Credentials"
102reference = "https://attack.mitre.org/techniques/T1552/"
103
104[[rule.threat.technique.subtechnique]]
105id = "T1552.005"
106name = "Cloud Instance Metadata API"
107reference = "https://attack.mitre.org/techniques/T1552/005/"
108
109[rule.threat.tactic]
110id = "TA0006"
111name = "Credential Access"
112reference = "https://attack.mitre.org/tactics/TA0006/"
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116
117[[rule.threat.technique]]
118id = "T1609"
119name = "Container Administration Command"
120reference = "https://attack.mitre.org/techniques/T1609/"
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"