Credential Access (TA0006)(external, opens in a new tab or window)
text code block:sequence by host.id, process.parent.entity_id with maxspan=3s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null // common tooling / suspicious names (keep broad) and ( process.name : ( "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node", "bash", "sh" ) or // suspicious execution locations (dropped binaries / temp execution) process.executable : ( "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" ) or // threat-relevant IMDS / metadata endpoints (inclusion list) process.command_line : ( "*169.254.169.254/latest/api/token*", "*169.254.169.254/latest/meta-data/iam/security-credentials*", "*169.254.169.254/latest/meta-data/local-ipv4*", "*169.254.169.254/latest/meta-data/local-hostname*", "*169.254.169.254/latest/meta-data/public-ipv4*", "*169.254.169.254/latest/user-data*", "*169.254.169.254/latest/dynamic/instance-identity/document*", "*169.254.169.254/latest/meta-data/instance-id*", "*169.254.169.254/latest/meta-data/public-keys*", "*computeMetadata/v1/instance/service-accounts/*/token*", "*/metadata/identity/oauth2/token*", "*169.254.169.254/opc/v*/instance*", "*169.254.169.254/opc/v*/vnics*" ) ) // global working-dir / executable / parent exclusions for known benign agents and not process.working_directory : ( "/opt/rapid7*", "/opt/nessus*", "/snap/amazon-ssm-agent*", "/var/snap/amazon-ssm-agent/*", "/var/log/amazon/ssm/*", "/srv/snp/docker/overlay2*", "/opt/nessus_agent/var/nessus/*" ) and not process.executable : ( "/opt/rumble/bin/rumble-agent*", "/opt/aws/inspector/bin/inspectorssmplugin", "/snap/oracle-cloud-agent/*", "/lusr/libexec/oracle-cloud-agent/*" ) and not process.parent.executable : ( "/usr/bin/setup-policy-routes", "/usr/share/ec2-instance-connect/*", "/var/lib/amazon/ssm/*", "/etc/update-motd.d/30-banner", "/usr/sbin/dhclient-script", "/usr/local/bin/uwsgi", "/usr/lib/skylight/al-extras", "/usr/bin/cloud-init", "/usr/sbin/waagent", "/usr/bin/google_osconfig_agent", "/usr/bin/docker", "/usr/bin/containerd-shim", "/usr/bin/runc" ) and not process.entry_leader.executable : ( "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent", "/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent", "/opt/nessus_agent/sbin/nessus-service" ) // carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns) and not ( process.executable == "/usr/bin/curl" and ( // AWS IMDSv2 token PUT that includes ttl header (process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*") or // Any IMDSv2 GET that includes token header for any /latest/* path process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*" or // Common amazon tooling UA process.command_line : "*-A amazon-ec2-net-utils/*" or // Azure metadata legitimate header process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*" or // Oracle IMDS legitimate header process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*" ) ) ] [ network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254" ]
Install detection rules in Elastic Security
Detect Unusual Instance Metadata Service (IMDS) API Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).