Unusual Instance Metadata Service (IMDS) API Request

  1[metadata]
  2creation_date = "2024/08/22"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/09/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata
 11service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID,
 12public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for
 13various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Unusual Instance Metadata Service (IMDS) API Request"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating Unusual Instance Metadata Service (IMDS) API Request
 26
 27The Instance Metadata Service (IMDS) API provides essential instance-specific data, including configuration details and temporary credentials, to applications running on cloud instances. Adversaries exploit this by using scripts or tools to access sensitive data, potentially leading to unauthorized access. The detection rule identifies suspicious access attempts by monitoring specific processes and network activities, excluding known legitimate paths, to flag potential misuse.
 28
 29### Possible investigation steps
 30
 31- Review the process details such as process.name and process.command_line to identify the tool or script used to access the IMDS API and determine if it aligns with known malicious behavior.
 32- Examine the process.executable and process.working_directory fields to verify if the execution path is unusual or suspicious, especially if it originates from directories like /tmp/* or /var/tmp/*.
 33- Check the process.parent.entity_id and process.parent.executable to understand the parent process and its legitimacy, which might provide context on how the suspicious process was initiated.
 34- Investigate the network event details, particularly the destination.ip field, to confirm if there was an attempted connection to the IMDS API endpoint at 169.254.169.254.
 35- Correlate the host.id with other security events or logs to identify any additional suspicious activities or patterns on the same host that might indicate a broader compromise.
 36- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
 37
 38### False positive analysis
 39
 40- Security and monitoring tools like Rapid7, Nessus, and Amazon SSM Agent may trigger false positives due to their legitimate access to the IMDS API. Users can exclude these by adding their working directories to the exception list.
 41- Automated scripts or processes running from known directories such as /opt/rumble/bin or /usr/share/ec2-instance-connect may also cause false positives. Exclude these directories or specific executables from the rule to prevent unnecessary alerts.
 42- System maintenance or configuration scripts that access the IMDS API for legitimate purposes might be flagged. Identify these scripts and add their paths or parent executables to the exclusion list to reduce noise.
 43- Regular network monitoring tools that attempt connections to the IMDS IP address for health checks or status updates can be excluded by specifying their process names or executable paths in the exception criteria.
 44
 45### Response and remediation
 46
 47- Immediately isolate the affected instance from the network to prevent further unauthorized access or data exfiltration.
 48- Terminate any suspicious processes identified in the alert that are attempting to access the IMDS API, especially those using tools like curl, wget, or python.
 49- Revoke any temporary credentials that may have been exposed or accessed through the IMDS API to prevent unauthorized use.
 50- Conduct a thorough review of the instance's security groups and IAM roles to ensure that only necessary permissions are granted and that there are no overly permissive policies.
 51- Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected.
 52- Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations.
 53- Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks."""
 54references = [
 55    "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
 56    "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day",
 57]
 58risk_score = 47
 59rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "Domain: Cloud",
 64    "OS: Linux",
 65    "Use Case: Threat Detection",
 66    "Tactic: Credential Access",
 67    "Tactic: Discovery",
 68    "Data Source: Elastic Defend",
 69    "Resources: Investigation Guide",
 70]
 71type = "eql"
 72
 73query = '''
 74sequence by host.id, process.parent.entity_id with maxspan=3s
 75[
 76    process
 77    where host.os.type == "linux"
 78        and event.type == "start"
 79        and event.action == "exec"
 80        and process.parent.executable != null
 81
 82        // common tooling / suspicious names (keep broad)
 83        and (
 84            process.name : (
 85                "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
 86                "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node",
 87                "bash", "sh"
 88            )
 89            or
 90            // suspicious execution locations (dropped binaries / temp execution)
 91            process.executable : (
 92                "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
 93                "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
 94            )
 95            or
 96            // threat-relevant IMDS / metadata endpoints (inclusion list)
 97            process.command_line : (
 98                "*169.254.169.254/latest/api/token*",
 99                "*169.254.169.254/latest/meta-data/iam/security-credentials*",
100                "*169.254.169.254/latest/meta-data/local-ipv4*",
101                "*169.254.169.254/latest/meta-data/local-hostname*",
102                "*169.254.169.254/latest/meta-data/public-ipv4*",
103                "*169.254.169.254/latest/user-data*",
104                "*169.254.169.254/latest/dynamic/instance-identity/document*",
105                "*169.254.169.254/latest/meta-data/instance-id*",
106                "*169.254.169.254/latest/meta-data/public-keys*",
107                "*computeMetadata/v1/instance/service-accounts/*/token*",
108                "*/metadata/identity/oauth2/token*",
109                "*169.254.169.254/opc/v*/instance*",
110                "*169.254.169.254/opc/v*/vnics*"
111            )
112        )
113
114        // global working-dir / executable / parent exclusions for known benign agents
115        and not process.working_directory : (
116            "/opt/rapid7*",
117            "/opt/nessus*",
118            "/snap/amazon-ssm-agent*",
119            "/var/snap/amazon-ssm-agent/*",
120            "/var/log/amazon/ssm/*",
121            "/srv/snp/docker/overlay2*",
122            "/opt/nessus_agent/var/nessus/*"
123        )
124
125        and not process.executable : (
126            "/opt/rumble/bin/rumble-agent*",
127            "/opt/aws/inspector/bin/inspectorssmplugin",
128            "/snap/oracle-cloud-agent/*",
129            "/lusr/libexec/oracle-cloud-agent/*"
130        )
131
132        and not process.parent.executable : (
133            "/usr/bin/setup-policy-routes",
134            "/usr/share/ec2-instance-connect/*",
135            "/var/lib/amazon/ssm/*",
136            "/etc/update-motd.d/30-banner",
137            "/usr/sbin/dhclient-script",
138            "/usr/local/bin/uwsgi",
139            "/usr/lib/skylight/al-extras",
140            "/usr/bin/cloud-init",
141            "/usr/sbin/waagent",
142            "/usr/bin/google_osconfig_agent",
143            "/usr/bin/docker",
144            "/usr/bin/containerd-shim",
145            "/usr/bin/runc"
146        )
147
148        and not process.entry_leader.executable : (
149            "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent",
150            "/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent",
151            "/opt/nessus_agent/sbin/nessus-service"
152        )
153
154        // carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns)
155        and not (
156            process.executable == "/usr/bin/curl"
157            and (
158                // AWS IMDSv2 token PUT that includes ttl header
159                (process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*")
160                or
161                // Any IMDSv2 GET that includes token header for any /latest/* path
162                process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*"
163                or
164                // Common amazon tooling UA
165                process.command_line : "*-A amazon-ec2-net-utils/*"
166                or
167                // Azure metadata legitimate header
168                process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*"
169                or
170                // Oracle IMDS legitimate header
171                process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*"
172            )
173        )
174]
175[
176    network where host.os.type == "linux"
177        and event.action == "connection_attempted"
178        and destination.ip == "169.254.169.254"
179]
180'''
181
182
183[[rule.threat]]
184framework = "MITRE ATT&CK"
185[[rule.threat.technique]]
186id = "T1552"
187name = "Unsecured Credentials"
188reference = "https://attack.mitre.org/techniques/T1552/"
189[[rule.threat.technique.subtechnique]]
190id = "T1552.005"
191name = "Cloud Instance Metadata API"
192reference = "https://attack.mitre.org/techniques/T1552/005/"
193
194
195
196[rule.threat.tactic]
197id = "TA0006"
198name = "Credential Access"
199reference = "https://attack.mitre.org/tactics/TA0006/"
200[[rule.threat]]
201framework = "MITRE ATT&CK"
202[[rule.threat.technique]]
203id = "T1580"
204name = "Cloud Infrastructure Discovery"
205reference = "https://attack.mitre.org/techniques/T1580/"
206
207
208[rule.threat.tactic]
209id = "TA0007"
210name = "Discovery"
211reference = "https://attack.mitre.org/tactics/TA0007/"