[New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005)

* new rule metadata API requests

* updated description and name

* added Ipv6

* adjusted query

* rule name fix

* changed to EQL; added discovery tactic

* removed timestamp override

* adding host.os.type

* adjusted description

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusted query

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2024/08/22"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2024/08/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata
+service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as
+instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule
+monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the
+metadata API.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unusual Instance Metadata Service (IMDS) API Request"
+references = ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"]
+risk_score = 47
+rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Discovery",
+    "Data Source: Elastic Defend",
+]
+type = "eql"
+
+query = '''
+sequence by host.id,  process.parent.entity_id with maxspan=1s
+[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : (
+    "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
+    "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
+    ) or process.executable : (
+      "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
+      "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
+    ) or
+    process.command_line: "*169.254.169.254*" and
+    not process.working_directory: (
+      "/opt/rapid7*",
+      "/opt/nessus*",
+      "/snap/amazon-ssm-agent*",
+      "/srv/snp/docker/overlay2*",
+      "/var/log/amazon/ssm*"
+    )]
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+[[rule.threat.technique.subtechnique]]
+id = "T1552.005"
+name = "Cloud Instance Metadata API"
+reference = "https://attack.mitre.org/techniques/T1552/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+