Elastic Security Detection Rules

Unusual Instance Metadata Service (IMDS) API Request

Last updated 7 days ago on 2025-01-24
Created 5 months ago on 2024-08-22

About

This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: DiscoveryData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Unsecured Credentials (T1552)(opens in a new tab or window)

Discovery (TA0007)(opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*
Related Integrations

endpoint(opens in a new tab or window)

Query
sequence by host.id,  process.parent.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
 process.parent.executable != null and 
 (
  process.name : (
    "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
    "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
    ) or 
  process.executable : (
      "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
      "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
    ) or
  process.command_line: "*169.254.169.254*" 
  )  
  and not process.working_directory: (
          "/opt/rapid7*",
          "/opt/nessus*",
          "/snap/amazon-ssm-agent*",
          "/var/snap/amazon-ssm-agent/*",
          "/var/log/amazon/ssm/*",
          "/srv/snp/docker/overlay2*",
          "/opt/nessus_agent/var/nessus/*") 
  and not process.executable: (
          "/opt/rumble/bin/rumble-agent*",
          "/opt/aws/inspector/bin/inspectorssmplugin",
          "/snap/oracle-cloud-agent/*",
          "/lusr/libexec/oracle-cloud-agent/*") 
  and not process.parent.executable: (
          "/usr/bin/setup-policy-routes",
          "/usr/share/ec2-instance-connect/*",
          "/var/lib/amazon/ssm/*", 
          "/etc/update-motd.d/30-banner", 
          "/usr/sbin/dhclient-script", 
          "/usr/local/bin/uwsgi", 
          "/usr/lib/skylight/al-extras")
]
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]

Install detection rules in Elastic Security

Detect Unusual Instance Metadata Service (IMDS) API Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).