Cloud Instance Metadata Credential Path HTTP Request

  1[metadata]
  2creation_date = "2026/05/23"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2026/05/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token
 11paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read
 12IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP
 13decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.
 14"""
 15false_positives = [
 16    """
 17    Cloud agents (SSM, waagent, cloud-init, instance connect) and authorized scanners may reach the same paths during
 18    provisioning or health checks. Exclude known agent user agents, source hosts, or parent processes after baselining.
 19    """,
 20]
 21from = "now-9m"
 22index = ["logs-network_traffic.http*", "packetbeat-*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Cloud Instance Metadata Credential Path HTTP Request"
 26note = """## Triage and analysis
 27
 28### Investigating Cloud Instance Metadata Credential Path HTTP Request
 29
 30This rule matches outbound HTTP GETs to `169.254.169.254` where the URL path requests IAM credentials or cloud OAuth
 31tokens, filtered to common scripting runtimes, suspicious executable paths, or tool-like user agents.
 32
 33### Investigation steps
 34
 35- Confirm `url.path` (AWS `security-credentials`, GCP `oauth2/access_token`, Azure `metadata/identity/oauth2/token`).
 36- Review `process.name`, `process.executable`, and `user_agent.original` — scripted tools and temp-path binaries are higher risk.
 37- Check `host.name` or `host.hostname` and whether the workload should run on a cloud VM with an instance profile or managed identity.
 38- Correlate with cloud audit or sign-in logs for role assumption or token use shortly after the request.
 39- If credentials may have been exposed, rotate the instance role or managed identity and review API activity from that principal.
 40
 41### False positives
 42
 43- Platform agents and bootstrap scripts on new instances; allowlist by user agent or host group where validated.
 44
 45### Response
 46
 47- Restrict IMDS access (IMDSv2 hop limit, network policy) and remove unnecessary instance permissions.
 48- Investigate the host for follow-on credential use or lateral movement.
 49
 50## Setup
 51
 52Deploy the [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic) integration via Fleet on cloud workloads.
 53
 54- Enable **Capture HTTP Traffic** and include ports **80** and **443**.
 55- Enable **Monitor Processes** so network events include the process that initiated the connection.
 56- Prefer ECS field remapping (`map_to_ecs`) on integration data streams.
 57"""
 58references = [
 59    "https://www.elastic.co/docs/reference/integrations/network_traffic",
 60    "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"
 61]
 62risk_score = 47
 63rule_id = "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Domain: Network",
 68    "OS: Linux",
 69    "OS: Windows",
 70    "OS: macOS",
 71    "Use Case: Threat Detection",
 72    "Tactic: Credential Access",
 73    "Data Source: Network Packet Capture",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "eql"
 78
 79query = '''
 80network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
 81http.request.method == "GET" and url.path : (
 82  "/latest/meta-data/iam/security-credentials/*",
 83  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
 84  "*metadata/identity/oauth2/token*"
 85) and (
 86  ?process.name : (
 87    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
 88    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
 89    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*", 
 90    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", 
 91    ".*", "osascript"
 92  ) or ?process.executable : (
 93    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
 94  ) or user_agent.original : (
 95    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
 96    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
 97  )
 98)
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1552"
107name = "Unsecured Credentials"
108reference = "https://attack.mitre.org/techniques/T1552/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1552.005"
112name = "Cloud Instance Metadata API"
113reference = "https://attack.mitre.org/techniques/T1552/005/"
114
115[rule.threat.tactic]
116id = "TA0006"
117name = "Credential Access"
118reference = "https://attack.mitre.org/tactics/TA0006/"