Unusual Linux Process Calling the Metadata Service
Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3maturity = "production"
4updated_date = "2023/03/06"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9anomaly_threshold = 50
10author = ["Elastic"]
11description = """
12Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order
13to harvest credentials or user data scripts containing secrets.
14"""
15false_positives = [
16 """
17 A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this
18 detection rule.
19 """,
20]
21from = "now-45m"
22interval = "15m"
23license = "Elastic License v2"
24machine_learning_job_id = ["v3_linux_rare_metadata_process"]
25name = "Unusual Linux Process Calling the Metadata Service"
26risk_score = 21
27rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"
28severity = "low"
29tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"]
30type = "machine_learning"
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1552"
36name = "Unsecured Credentials"
37reference = "https://attack.mitre.org/techniques/T1552/"
38
39 [[rule.threat.technique.subtechnique]]
40 id = "T1552.005"
41 name = "Cloud Instance Metadata API"
42 reference = "https://attack.mitre.org/techniques/T1552/005/"
43
44
45[rule.threat.tactic]
46id = "TA0006"
47name = "Credential Access"
48reference = "https://attack.mitre.org/tactics/TA0006/"