Unusual Linux User Calling the Metadata Service

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-09-22

About

Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Credential Access

Severity

low

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Unsecured Credentials (T1552)(opens in a new tab or window)

False Positive Examples

A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Linux User Calling the Metadata Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).