From be611be8b319942e3ee65de3556fb48955ae5f7a Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 5 Sep 2024 10:08:32 -0400 Subject: [PATCH] [New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005) * new rule metadata API requests * updated description and name * added Ipv6 * adjusted query * rule name fix * changed to EQL; added discovery tactic * removed timestamp override * adding host.os.type * adjusted description * Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * adjusted query --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...instance_metadata_service_api_request.toml | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml new file mode 100644 index 000000000..e62e5b82a --- /dev/null +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -0,0 +1,85 @@ +[metadata] +creation_date = "2024/08/22" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/08/28" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata +service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as +instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule +monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the +metadata API. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Instance Metadata Service (IMDS) API Request" +references = ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"] +risk_score = 47 +rule_id = "ecc0cd54-608e-11ef-ab6d-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] +type = "eql" + +query = ''' +sequence by host.id, process.parent.entity_id with maxspan=1s +[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : ( + "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", + "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node" + ) or process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" + ) or + process.command_line: "*169.254.169.254*" and + not process.working_directory: ( + "/opt/rapid7*", + "/opt/nessus*", + "/snap/amazon-ssm-agent*", + "/srv/snp/docker/overlay2*", + "/var/log/amazon/ssm*" + )] +[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" +