security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#5163)

Browse Source 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
2025-10-06 07:19:22 -04:00
committed by GitHub
parent 25880e73da
commit 1833d2e7a0
1 changed files with 128 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
+128 -55
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/09/29"
[rule]
author = ["Elastic"]
@@ -17,60 +17,6 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Instance Metadata Service (IMDS) API Request"
references = ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"]
risk_score = 47
rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.executable != null and
(
process.name : (
"curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
"openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
) or
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
) or
process.command_line: "*169.254.169.254*"
)
and not process.working_directory: (
"/opt/rapid7*",
"/opt/nessus*",
"/snap/amazon-ssm-agent*",
"/var/snap/amazon-ssm-agent/*",
"/var/log/amazon/ssm/*",
"/srv/snp/docker/overlay2*",
"/opt/nessus_agent/var/nessus/*")
and not process.executable: (
"/opt/rumble/bin/rumble-agent*",
"/opt/aws/inspector/bin/inspectorssmplugin",
"/snap/oracle-cloud-agent/*",
"/lusr/libexec/oracle-cloud-agent/*")
and not process.parent.executable: (
"/usr/bin/setup-policy-routes",
"/usr/share/ec2-instance-connect/*",
"/var/lib/amazon/ssm/*",
"/etc/update-motd.d/30-banner",
"/usr/sbin/dhclient-script",
"/usr/local/bin/uwsgi",
"/usr/lib/skylight/al-extras")
]
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -105,6 +51,133 @@ The Instance Metadata Service (IMDS) API provides essential instance-specific da
- Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected.
- Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations.
- Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks."""
references = [
"https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
"https://www.wiz.io/blog/imds-anomaly-hunting-zero-day",
]
risk_score = 47
rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: Cloud",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=3s
[
process
where host.os.type == "linux"
and event.type == "start"
and event.action == "exec"
and process.parent.executable != null
// common tooling / suspicious names (keep broad)
and (
process.name : (
"curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
"openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node",
"bash", "sh"
)
or
// suspicious execution locations (dropped binaries / temp execution)
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
)
or
// threat-relevant IMDS / metadata endpoints (inclusion list)
process.command_line : (
"*169.254.169.254/latest/api/token*",
"*169.254.169.254/latest/meta-data/iam/security-credentials*",
"*169.254.169.254/latest/meta-data/local-ipv4*",
"*169.254.169.254/latest/meta-data/local-hostname*",
"*169.254.169.254/latest/meta-data/public-ipv4*",
"*169.254.169.254/latest/user-data*",
"*169.254.169.254/latest/dynamic/instance-identity/document*",
"*169.254.169.254/latest/meta-data/instance-id*",
"*169.254.169.254/latest/meta-data/public-keys*",
"*computeMetadata/v1/instance/service-accounts/*/token*",
"*/metadata/identity/oauth2/token*",
"*169.254.169.254/opc/v*/instance*",
"*169.254.169.254/opc/v*/vnics*"
)
)
// global working-dir / executable / parent exclusions for known benign agents
and not process.working_directory : (
"/opt/rapid7*",
"/opt/nessus*",
"/snap/amazon-ssm-agent*",
"/var/snap/amazon-ssm-agent/*",
"/var/log/amazon/ssm/*",
"/srv/snp/docker/overlay2*",
"/opt/nessus_agent/var/nessus/*"
)
and not process.executable : (
"/opt/rumble/bin/rumble-agent*",
"/opt/aws/inspector/bin/inspectorssmplugin",
"/snap/oracle-cloud-agent/*",
"/lusr/libexec/oracle-cloud-agent/*"
)
and not process.parent.executable : (
"/usr/bin/setup-policy-routes",
"/usr/share/ec2-instance-connect/*",
"/var/lib/amazon/ssm/*",
"/etc/update-motd.d/30-banner",
"/usr/sbin/dhclient-script",
"/usr/local/bin/uwsgi",
"/usr/lib/skylight/al-extras",
"/usr/bin/cloud-init",
"/usr/sbin/waagent",
"/usr/bin/google_osconfig_agent",
"/usr/bin/docker",
"/usr/bin/containerd-shim",
"/usr/bin/runc"
)
and not process.entry_leader.executable : (
"/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent",
"/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent",
"/opt/nessus_agent/sbin/nessus-service"
)
// carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns)
and not (
process.executable == "/usr/bin/curl"
and (
// AWS IMDSv2 token PUT that includes ttl header
(process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*")
or
// Any IMDSv2 GET that includes token header for any /latest/* path
process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*"
or
// Common amazon tooling UA
process.command_line : "*-A amazon-ec2-net-utils/*"
or
// Azure metadata legitimate header
process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*"
or
// Oracle IMDS legitimate header
process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*"
)
)
]
[
network where host.os.type == "linux"
and event.action == "connection_attempted"
and destination.ip == "169.254.169.254"
]
'''
[[rule.threat]]