Unusual Instance Metadata Service (IMDS) API Request
This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/10/17"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata
11service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID,
12public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for
13various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Unusual Instance Metadata Service (IMDS) API Request"
20references = ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"]
21risk_score = 47
22rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Linux",
27 "Use Case: Threat Detection",
28 "Tactic: Credential Access",
29 "Tactic: Discovery",
30 "Data Source: Elastic Defend",
31]
32type = "eql"
33
34query = '''
35sequence by host.id, process.parent.entity_id with maxspan=1s
36[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : (
37 "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
38 "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
39 ) or process.executable : (
40 "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
41 "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
42 ) or
43 process.command_line: "*169.254.169.254*" and
44 not (process.working_directory: (
45 "/opt/rapid7*",
46 "/opt/nessus*",
47 "/snap/amazon-ssm-agent*",
48 "/var/snap/amazon-ssm-agent/*",
49 "/var/log/amazon/ssm/*",
50 "/srv/snp/docker/overlay2*",
51 "/opt/nessus_agent/var/nessus/*") or
52 process.executable: (
53 "/opt/rumble/bin/rumble-agent*",
54 "/opt/aws/inspector/bin/inspectorssmplugin") or
55 process.parent.executable: (
56 "/usr/bin/setup-policy-routes",
57 "/usr/share/ec2-instance-connect/*",
58 "/var/lib/amazon/ssm/*")
59 )
60]
61[network where host.os.type == "linux"
62 and event.action == "connection_attempted"
63 and destination.ip == "169.254.169.254"]
64'''
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1552"
71name = "Unsecured Credentials"
72reference = "https://attack.mitre.org/techniques/T1552/"
73[[rule.threat.technique.subtechnique]]
74id = "T1552.005"
75name = "Cloud Instance Metadata API"
76reference = "https://attack.mitre.org/techniques/T1552/005/"
77
78
79
80[rule.threat.tactic]
81id = "TA0006"
82name = "Credential Access"
83reference = "https://attack.mitre.org/tactics/TA0006/"
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1580"
88name = "Cloud Infrastructure Discovery"
89reference = "https://attack.mitre.org/techniques/T1580/"
90
91
92[rule.threat.tactic]
93id = "TA0007"
94name = "Discovery"
95reference = "https://attack.mitre.org/tactics/TA0007/"
References
Related rules
- Modification of OpenSSH Binaries
- Potential Execution via XZBackdoor
- Suspicious Memory grep Activity
- Security Software Discovery via Grep
- Potential Shadow File Read via Command Line Utilities