Web Server Cloud Metadata SSRF Request

Last updated 2 days ago on 2026-07-02
Created 2 days ago on 2026-07-02

About

Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.
Tags
Domain: WebDomain: CloudDomain: NetworkUse Case: Threat DetectionTactic: Credential AccessTactic: Initial AccessData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISData Source: TraefikData Source: ZeekLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-nginx.access-*logs-apache.access-*logs-apache_tomcat.access-*logs-iis.access-*logs-traefik.access-*logs-zeek.http-*
Related Integrations

nginx(external, opens in a new tab or window)

apache(external, opens in a new tab or window)

apache_tomcat(external, opens in a new tab or window)

iis(external, opens in a new tab or window)

traefik(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

Query
text code block:
web where ( url.original : ( "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*", "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*", "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*", "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*", "*latest/meta-data*", "*latest/api/token*" ) or url.query : ( "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*", "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*", "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*", "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*", "*latest/meta-data*", "*latest/api/token*" ) )

Install detection rules in Elastic Security

Detect Web Server Cloud Metadata SSRF Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).