Elastic Security Detection Rules

Cloud Instance Metadata Credential Path HTTP Request

Last updated a month ago on 2026-05-23
Created a month ago on 2026-05-23

About

Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.
Tags
Domain: CloudDomain: NetworkOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Credential AccessData Source: Network Packet CaptureLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples
Cloud agents (SSM, waagent, cloud-init, instance connect) and authorized scanners may reach the same paths during provisioning or health checks. Exclude known agent user agents, source hosts, or parent processes after baselining.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-network_traffic.http*packetbeat-*
Related Integrations

network_traffic(external, opens in a new tab or window)

Query
text code block:
network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
http.request.method == "GET" and url.path : (
  "/latest/meta-data/iam/security-credentials/*",
  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
  "*metadata/identity/oauth2/token*"
) and (
  ?process.name : (
    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*", 
    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", 
    ".*", "osascript"
  ) or ?process.executable : (
    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
  ) or user_agent.original : (
    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
  )
)

Install detection rules in Elastic Security

Detect Cloud Instance Metadata Credential Path HTTP Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).