From 1833d2e7a09333342d12a4b6ff3c02c00e6f5046 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 6 Oct 2025 07:19:22 -0400 Subject: [PATCH] tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#5163) Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- ...instance_metadata_service_api_request.toml | 183 ++++++++++++------ 1 file changed, 128 insertions(+), 55 deletions(-) diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index 5f6686572..c58ad162a 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/09/29" [rule] author = ["Elastic"] @@ -17,60 +17,6 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual Instance Metadata Service (IMDS) API Request" -references = ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"] -risk_score = 47 -rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.parent.entity_id with maxspan=1s -[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.executable != null and - ( - process.name : ( - "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", - "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node" - ) or - process.executable : ( - "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", - "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" - ) or - process.command_line: "*169.254.169.254*" - ) - and not process.working_directory: ( - "/opt/rapid7*", - "/opt/nessus*", - "/snap/amazon-ssm-agent*", - "/var/snap/amazon-ssm-agent/*", - "/var/log/amazon/ssm/*", - "/srv/snp/docker/overlay2*", - "/opt/nessus_agent/var/nessus/*") - and not process.executable: ( - "/opt/rumble/bin/rumble-agent*", - "/opt/aws/inspector/bin/inspectorssmplugin", - "/snap/oracle-cloud-agent/*", - "/lusr/libexec/oracle-cloud-agent/*") - and not process.parent.executable: ( - "/usr/bin/setup-policy-routes", - "/usr/share/ec2-instance-connect/*", - "/var/lib/amazon/ssm/*", - "/etc/update-motd.d/30-banner", - "/usr/sbin/dhclient-script", - "/usr/local/bin/uwsgi", - "/usr/lib/skylight/al-extras") -] -[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -105,6 +51,133 @@ The Instance Metadata Service (IMDS) API provides essential instance-specific da - Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected. - Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations. - Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks.""" +references = [ + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", + "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day", +] +risk_score = 47 +rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Endpoint", + "Domain: Cloud", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id, process.parent.entity_id with maxspan=3s +[ + process + where host.os.type == "linux" + and event.type == "start" + and event.action == "exec" + and process.parent.executable != null + + // common tooling / suspicious names (keep broad) + and ( + process.name : ( + "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", + "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node", + "bash", "sh" + ) + or + // suspicious execution locations (dropped binaries / temp execution) + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" + ) + or + // threat-relevant IMDS / metadata endpoints (inclusion list) + process.command_line : ( + "*169.254.169.254/latest/api/token*", + "*169.254.169.254/latest/meta-data/iam/security-credentials*", + "*169.254.169.254/latest/meta-data/local-ipv4*", + "*169.254.169.254/latest/meta-data/local-hostname*", + "*169.254.169.254/latest/meta-data/public-ipv4*", + "*169.254.169.254/latest/user-data*", + "*169.254.169.254/latest/dynamic/instance-identity/document*", + "*169.254.169.254/latest/meta-data/instance-id*", + "*169.254.169.254/latest/meta-data/public-keys*", + "*computeMetadata/v1/instance/service-accounts/*/token*", + "*/metadata/identity/oauth2/token*", + "*169.254.169.254/opc/v*/instance*", + "*169.254.169.254/opc/v*/vnics*" + ) + ) + + // global working-dir / executable / parent exclusions for known benign agents + and not process.working_directory : ( + "/opt/rapid7*", + "/opt/nessus*", + "/snap/amazon-ssm-agent*", + "/var/snap/amazon-ssm-agent/*", + "/var/log/amazon/ssm/*", + "/srv/snp/docker/overlay2*", + "/opt/nessus_agent/var/nessus/*" + ) + + and not process.executable : ( + "/opt/rumble/bin/rumble-agent*", + "/opt/aws/inspector/bin/inspectorssmplugin", + "/snap/oracle-cloud-agent/*", + "/lusr/libexec/oracle-cloud-agent/*" + ) + + and not process.parent.executable : ( + "/usr/bin/setup-policy-routes", + "/usr/share/ec2-instance-connect/*", + "/var/lib/amazon/ssm/*", + "/etc/update-motd.d/30-banner", + "/usr/sbin/dhclient-script", + "/usr/local/bin/uwsgi", + "/usr/lib/skylight/al-extras", + "/usr/bin/cloud-init", + "/usr/sbin/waagent", + "/usr/bin/google_osconfig_agent", + "/usr/bin/docker", + "/usr/bin/containerd-shim", + "/usr/bin/runc" + ) + + and not process.entry_leader.executable : ( + "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent", + "/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent", + "/opt/nessus_agent/sbin/nessus-service" + ) + + // carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns) + and not ( + process.executable == "/usr/bin/curl" + and ( + // AWS IMDSv2 token PUT that includes ttl header + (process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*") + or + // Any IMDSv2 GET that includes token header for any /latest/* path + process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*" + or + // Common amazon tooling UA + process.command_line : "*-A amazon-ec2-net-utils/*" + or + // Azure metadata legitimate header + process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*" + or + // Oracle IMDS legitimate header + process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*" + ) + ) +] +[ + network where host.os.type == "linux" + and event.action == "connection_attempted" + and destination.ip == "169.254.169.254" +] +''' [[rule.threat]]