Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

calendar Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.initial-access attack.persistence attack.t1078 attack.t1078.002  ·
Share on: linkedin copy

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Sigma rule (View on GitHub)

 1title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
 2id: 352a918a-34d8-4882-8470-44830c507aa3
 3status: test
 4description: |
 5    Detects when an instance identity has taken an action that isn't inside SSM.
 6    This can indicate that a compromised EC2 instance is being used as a pivot point.    
 7references:
 8    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
 9    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
10    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
11author: jamesc-grafana
12date: 2024-07-11
13tags:
14    - attack.privilege-escalation
15    - attack.defense-evasion
16    - attack.initial-access
17    - attack.persistence
18    - attack.t1078
19    - attack.t1078.002
20logsource:
21    product: aws
22    service: cloudtrail
23detection:
24    selection:
25        userIdentity.arn|re: '.+:assumed-role/aws:.+'
26    filter_main_generic:
27        - eventSource: 'ssm.amazonaws.com'
28        - eventName: 'RegisterManagedInstance'
29        - sourceIPAddress: 'AWS Internal'
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
33level: high

References

  • Amazon Elastic Compute Cloud


    Read More

  • Secure Your AWS EC2 Instance Metadata Service (IMDS)

    Read this review of IMDS, an important AWS EC2 service component, to understand its two versions and improve your AWS security.


    Read More

  • Amazon EC2 Credential Exfiltration: How It Happens and How to Mitigate It

    An introduction to Amazon EC2 credentials When you assign an Identity and Access Management (IAM) role to an Amazon Elastic Compute Cloud (EC2) instance, the short-term credentials for the role are made available via a web service known as the Instance Metadata Service (IMDS). The IMDS provides an HTTP endpoint for retrieving instance metadata such as the instance IP address, AWS Region the instance is running in, the Amazon Machine Image used to launch the instance, and the access key, secret access key, and session token associated with the instance's IAM role. The AWS documentation describes how to retrieve instance role credentials from IMDS. If you've seen or used the http://169.254.169.254 or http://fd00:ec2::254 endpoints, then you've seen/used IMDS. Retrieval of instance role credentials from IMDS is the mechanism by which the AWS CLI and SDKs learn the credentials belonging to the instance's IAM role without you having to configure anything on the instance. Quoting the IAM documentation: The AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the credentials from the EC2 Instance Metadata Service (IMDS) and use them. This is great! It means you can start using the AWS CLI, SDKs, or Tools for Windows PowerShell on an EC2 instance without having to configure any credentials. However, like most nice things, IMDS can be exploited and used in unintended ways. This blog post will explain how EC2 credentials can be retrieved from IMDS, removed from the EC2 instance, and used outside of EC2. This post will also explain some ways to mitigate this activity.


    Read More

Related rules

to-top