sequence by host.id, process.parent.entity_id with maxspan=3s
[
process
where host.os.type == "linux"
and event.type == "start"
and event.action == "exec"
and process.parent.executable != null
// common tooling / suspicious names (keep broad)
and (
process.name : (
"curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
"openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node",
"bash", "sh"
)
or
// suspicious execution locations (dropped binaries / temp execution)
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
)
or
// threat-relevant IMDS / metadata endpoints (inclusion list)
process.command_line : (
"*169.254.169.254/latest/api/token*",
"*169.254.169.254/latest/meta-data/iam/security-credentials*",
"*169.254.169.254/latest/meta-data/local-ipv4*",
"*169.254.169.254/latest/meta-data/local-hostname*",
"*169.254.169.254/latest/meta-data/public-ipv4*",
"*169.254.169.254/latest/user-data*",
"*169.254.169.254/latest/dynamic/instance-identity/document*",
"*169.254.169.254/latest/meta-data/instance-id*",
"*169.254.169.254/latest/meta-data/public-keys*",
"*computeMetadata/v1/instance/service-accounts/*/token*",
"*/metadata/identity/oauth2/token*",
"*169.254.169.254/opc/v*/instance*",
"*169.254.169.254/opc/v*/vnics*"
)
)
// global working-dir / executable / parent exclusions for known benign agents
and not process.working_directory : (
"/opt/rapid7*",
"/opt/nessus*",
"/snap/amazon-ssm-agent*",
"/var/snap/amazon-ssm-agent/*",
"/var/log/amazon/ssm/*",
"/srv/snp/docker/overlay2*",
"/opt/nessus_agent/var/nessus/*"
)
and not process.executable : (
"/opt/rumble/bin/rumble-agent*",
"/opt/aws/inspector/bin/inspectorssmplugin",
"/snap/oracle-cloud-agent/*",
"/lusr/libexec/oracle-cloud-agent/*"
)
and not process.parent.executable : (
"/usr/bin/setup-policy-routes",
"/usr/share/ec2-instance-connect/*",
"/var/lib/amazon/ssm/*",
"/etc/update-motd.d/30-banner",
"/usr/sbin/dhclient-script",
"/usr/local/bin/uwsgi",
"/usr/lib/skylight/al-extras",
"/usr/bin/cloud-init",
"/usr/sbin/waagent",
"/usr/bin/google_osconfig_agent",
"/usr/bin/docker",
"/usr/bin/containerd-shim",
"/usr/bin/runc"
)
and not process.entry_leader.executable : (
"/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent",
"/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent",
"/opt/nessus_agent/sbin/nessus-service"
)
// carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns)
and not (
process.executable == "/usr/bin/curl"
and (
// AWS IMDSv2 token PUT that includes ttl header
(process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*")
or
// Any IMDSv2 GET that includes token header for any /latest/* path
process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*"
or
// Common amazon tooling UA
process.command_line : "*-A amazon-ec2-net-utils/*"
or
// Azure metadata legitimate header
process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*"
or
// Oracle IMDS legitimate header
process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*"
)
)
]
[
network where host.os.type == "linux"
and event.action == "connection_attempted"
and destination.ip == "169.254.169.254"
]
Install detection rules in Elastic Security
Detect Unusual Instance Metadata Service (IMDS) API Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).