detection.wiki

Unsecured Credentials: Cloud Instance Metadata API T1552.005

Tactic: Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Events covered

3 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (27 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
data_stream.dataset5eq 5aws.cloudtrail, azure.activitylogs
EventType4eq 2, in 1, wildcard 1ConsoleLogin, DescribeInstanceAttribute, GetPasswordData, GetSigninToken, Process Create*
event.outcome4eq 2, in 2success, Success
Image3wildcard 3, starts_with 1/.*, /boot/*, ./, ./*, /boot/
Provider_Name3eq 3ec2.amazonaws.com, signin.amazonaws.com
process_name3starts_with 2, eq 1, in 1, wildcard 1bash, ., .*, apache*, bun
DestinationPort2eq 280
aws::userIdentity.type2eq 2AssumedRole
azure.activitylogs.operation_name2eq 2MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE, MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION
dest_ip2eq 2169.254.169.254
host.os.type2in 2
Esql.executed_command1is_not_null 1, regex_match 1.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/api/t...
aws.cloudtrail.flattened.request_parameters.attribute1eq 1userData
aws::errorCode1eq 1Client.UnauthorizedOperation
aws::userAgent1wildcard 1*WindowsPowerShell*, *aiohttp*, *azurehound*

Top indicator values (214 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imagewildcard
/home/*/*
35
Imagewildcard
/.*
22
Imagewildcard
/boot/*
26
Imagewildcard
/dev/shm/*
28
Imagewildcard
/run/*
26
Imagewildcard
/tmp/*
29
Imagewildcard
/var/run/*
24
Imagewildcard
/var/tmp/*
29
Imagewildcard
?:\programdata\*
23
Imagewildcard
c:\users\*
22
data_stream.dataseteq
aws.cloudtrail
3141
data_stream.dataseteq
azure.activitylogs
234
DestinationPorteq
80
210
Provider_Nameeq
ec2.amazonaws.com
219
aws::userIdentity.typeeq
AssumedRole
212
dest_ipeq
169.254.169.254
23
event.outcomeeq
success
2251
event.outcomein
Success
237
event.outcomein
success
238
process_namestarts_with
.
218
process_namestarts_with
lua
215
process_namestarts_with
perl
220
process_namestarts_with
php
214
process_namestarts_with
python
231
process_namestarts_with
ruby
221
Esql.executed_commandregex_match
.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/api/token|/latest/meta-da...
1
EventTypeeq
DescribeInstanceAttribute
1
EventTypeeq
GetPasswordData
1
EventTypein
ConsoleLogin
1
EventTypein
GetSigninToken
1

Exclusions (13 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagewildcard
/vscode/vscode-server/bin/linux-x64/*/node
1
aws::userIdentity.invokedByin
AWS Internal
1
aws::userIdentity.invokedByin
aidevops.amazonaws.com
1
aws::userIdentity.invokedByin
aiops.amazonaws.com
1
aws::userIdentity.invokedByin
cloudformation.amazonaws.com
1
aws::userIdentity.invokedByin
elasticmapreduce.amazonaws.com
1
process.code_signature.signing_ideq
com.github.Electron.helper
1
process.code_signature.signing_idin
com.github.Electron.helper
1
process.code_signature.signing_idin
com.microsoft.VSCode.helper
1
process.code_signature.trustedeq
true
1
process_nameeq
code helper (plugin)
1
process_nameeq
cursor helper (plugin)
1
process_nameeq
node
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Elastic 13 rules

Splunk 1 rule