detection.wiki

Detection rules › Elastic

Cloud Instance Metadata Credential Path HTTP Request

Status
production
Severity
medium
Time window
9m
Author
Elastic
Source
github.com/elastic/detection-rules

Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1552.005 Unsecured Credentials: Cloud Instance Metadata API

Rule body elastic

[metadata]
creation_date = "2026/05/23"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2026/05/23"

[rule]
author = ["Elastic"]
description = """
Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token
paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read
IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP
decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.
"""
false_positives = [
    """
    Cloud agents (SSM, waagent, cloud-init, instance connect) and authorized scanners may reach the same paths during
    provisioning or health checks. Exclude known agent user agents, source hosts, or parent processes after baselining.
    """,
]
from = "now-9m"
index = ["logs-network_traffic.http*", "packetbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Cloud Instance Metadata Credential Path HTTP Request"
note = """## Triage and analysis

### Investigating Cloud Instance Metadata Credential Path HTTP Request

This rule matches outbound HTTP GETs to `169.254.169.254` where the URL path requests IAM credentials or cloud OAuth
tokens, filtered to common scripting runtimes, suspicious executable paths, or tool-like user agents.

### Investigation steps

- Confirm `url.path` (AWS `security-credentials`, GCP `oauth2/access_token`, Azure `metadata/identity/oauth2/token`).
- Review `process.name`, `process.executable`, and `user_agent.original` — scripted tools and temp-path binaries are higher risk.
- Check `host.name` or `host.hostname` and whether the workload should run on a cloud VM with an instance profile or managed identity.
- Correlate with cloud audit or sign-in logs for role assumption or token use shortly after the request.
- If credentials may have been exposed, rotate the instance role or managed identity and review API activity from that principal.

### False positives

- Platform agents and bootstrap scripts on new instances; allowlist by user agent or host group where validated.

### Response

- Restrict IMDS access (IMDSv2 hop limit, network policy) and remove unnecessary instance permissions.
- Investigate the host for follow-on credential use or lateral movement.

## Setup

Deploy the [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic) integration via Fleet on cloud workloads.

- Enable **Capture HTTP Traffic** and include ports **80** and **443**.
- Enable **Monitor Processes** so network events include the process that initiated the connection.
- Prefer ECS field remapping (`map_to_ecs`) on integration data streams.
"""
references = [
    "https://www.elastic.co/docs/reference/integrations/network_traffic",
    "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"
]
risk_score = 47
rule_id = "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Network",
    "OS: Linux",
    "OS: Windows",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Data Source: Network Packet Capture",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
http.request.method == "GET" and url.path : (
  "/latest/meta-data/iam/security-credentials/*",
  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
  "*metadata/identity/oauth2/token*"
) and (
  ?process.name : (
    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*", 
    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", 
    ".*", "osascript"
  ) or ?process.executable : (
    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
  ) or user_agent.original : (
    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
  )
)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

Stages and Predicates

Stage 1: network

network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
http.request.method == "GET" and url.path : (
  "/latest/meta-data/iam/security-credentials/*",
  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
  "*metadata/identity/oauth2/token*"
) and (
  ?process.name : (
    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*", 
    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi", 
    ".*", "osascript"
  ) or ?process.executable : (
    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
  ) or user_agent.original : (
    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
  )
)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
destination.ipeq
  • 169.254.169.254 corpus 3 (elastic 2, kusto 1)
destination.porteq
  • 80 corpus 10 (sigma 6, elastic 2, kusto 2)
event.moduleeq
  • network_traffic
http.request.methodeq
  • GET corpus 6 (elastic 6)
process.executablewildcard
  • /.*
  • /boot/* corpus 10 (elastic 10)
  • /dev/shm/* corpus 23 (elastic 22, sigma 1)
  • /home/*/* corpus 5 (elastic 5)
  • /run/* corpus 8 (elastic 8)
  • /tmp/* corpus 25 (elastic 23, sigma 2)
  • /var/run/* corpus 11 (elastic 11)
  • /var/tmp/* corpus 24 (elastic 23, sigma 1)
  • ?:\ProgramData\*
  • C:\Users\*
process.namewildcard
  • .* corpus 18 (elastic 18)
  • apache*
  • bash corpus 7 (elastic 7)
  • bun corpus 2 (elastic 2)
  • bun.exe
  • busybox corpus 8 (elastic 8)
  • catalina
  • cmd.exe corpus 77 (elastic 48, splunk 29)
  • csh corpus 5 (elastic 5)
  • curl corpus 18 (elastic 13, splunk 5)
  • curl.exe corpus 15 (elastic 12, splunk 3)
  • dash corpus 7 (elastic 7)
  • dotnet
  • fish corpus 5 (elastic 5)
  • go
  • gunicorn
  • httpd
  • java*
  • ksh corpus 6 (elastic 6)
  • mksh
  • nc corpus 4 (elastic 4)
  • netcat corpus 4 (elastic 4)
  • nginx
  • node corpus 9 (elastic 9)
  • node.exe corpus 3 (elastic 3)
  • osascript corpus 10 (elastic 10)
  • perl corpus 2 (elastic 2)
  • php* corpus 14 (elastic 14)
  • powershell.exe corpus 104 (elastic 60, splunk 44)
  • python* corpus 31 (elastic 31)
  • ruby
  • rundll32.exe corpus 60 (elastic 34, splunk 26)
  • sh corpus 8 (elastic 7, splunk 1)
  • spring*
  • tclsh
  • tcsh corpus 6 (elastic 6)
  • tomcat*
  • uwsgi
  • w3wp.exe
  • wget corpus 12 (elastic 11, splunk 1)
  • wget.exe corpus 5 (elastic 5)
  • wish
  • zsh corpus 7 (elastic 7)
url.pathwildcard
  • *computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*
  • *metadata/identity/oauth2/token*
  • /latest/meta-data/iam/security-credentials/*
user_agent.originalwildcard
  • *WindowsPowerShell*
  • *aiohttp*
  • *azurehound*
  • *bloodhound*
  • *fasthttp*
  • *roadtools*
  • Apache-HttpClient*
  • Bun*
  • Go-http-client*
  • RestTemplate*
  • axios* corpus 2 (elastic 2)
  • curl*
  • java*
  • node*
  • okhttp*
  • php*
  • python*
  • ruby*
  • undici*
  • wget*