security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169)

Browse Source 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
2024-10-18 11:50:57 -04:00
committed by GitHub
parent 42f6c8f9a5
commit d0225c37df
1 changed files with 24 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
+24 -13
View File
@@ -2,16 +2,15 @@
creation_date = "2024/08/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/08/28"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
description = """
This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata
service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as
instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule
monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the
metadata API.
service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID,
public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for
various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -42,14 +41,26 @@ sequence by host.id, process.parent.entity_id with maxspan=1s
"/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
) or
process.command_line: "*169.254.169.254*" and
not process.working_directory: (
"/opt/rapid7*",
"/opt/nessus*",
"/snap/amazon-ssm-agent*",
"/srv/snp/docker/overlay2*",
"/var/log/amazon/ssm*"
)]
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
not (process.working_directory: (
"/opt/rapid7*",
"/opt/nessus*",
"/snap/amazon-ssm-agent*",
"/var/snap/amazon-ssm-agent/*",
"/var/log/amazon/ssm/*",
"/srv/snp/docker/overlay2*",
"/opt/nessus_agent/var/nessus/*") or
process.executable: (
"/opt/rumble/bin/rumble-agent*",
"/opt/aws/inspector/bin/inspectorssmplugin") or
process.parent.executable: (
"/usr/bin/setup-policy-routes",
"/usr/share/ec2-instance-connect/*",
"/var/lib/amazon/ssm/*")
)
]
[network where host.os.type == "linux"
and event.action == "connection_attempted"
and destination.ip == "169.254.169.254"]
'''