Suspicious Instance Metadata Service (IMDS) API Request

Status: production
Severity: medium
Time window: 9m
Group by: host.id, process.executable
Author: Elastic
Source: github.com/elastic/detection-rules

This rule identifies various tools/scripts performing network activities attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if roles are assumed by that instance.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552.005` Unsecured Credentials: Cloud Instance Metadata API
Discovery	`T1016` System Network Configuration Discovery, `T1082` System Information Discovery, `T1580` Cloud Infrastructure Discovery

Event coverage

Provider	Event	Title
Sysmon	Event ID 3	Network connection

Rule body elastic

[metadata]
creation_date = "2026/05/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/05/22"

[rule]
author = ["Elastic"]
description = """
This rule identifies various tools/scripts performing network activities attempting to access the cloud service provider's
instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such
as instance ID, public IP address, and even temporary security credentials if roles are assumed by that instance.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Instance Metadata Service (IMDS) API Request"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Suspicious Instance Metadata Service (IMDS) API Request

This alert flags command interpreters, scripting engines, or unusual binaries on a host trying to contact the local instance metadata service, a high-value source of instance details and temporary cloud credentials. A common attacker pattern is gaining code execution on a Linux or Windows VM, then using curl, PowerShell, or a script dropped in a temporary directory to query 169.254.169.254 and harvest the attached role credentials for follow-on cloud access.

### Possible investigation steps

- Review the full execution chain and any referenced script or binary contents to determine whether the metadata request came from approved bootstrap or agent activity versus an interactive shell, web application process, scheduled job, or recently dropped file.
- Identify the initiating account, session context, and trigger for the execution to separate expected automation from hands-on-keyboard behavior, especially if it followed a remote login, privilege escalation, or exploitation event.
- Correlate the host and timeframe with cloud control-plane telemetry to confirm whether instance role credentials or managed identity tokens were later used against storage, secrets, IAM, subscription, or other sensitive APIs.
- Examine nearby endpoint activity for follow-on collection and staging behavior such as writing token output to disk, exporting environment data, invoking cloud CLIs or SDKs, compressing files, or making outbound connections to unfamiliar destinations.
- Validate with the asset owner whether the workload legitimately requires IMDS access, and if the activity is unexplained, contain the host and rotate any exposed instance profile or managed identity credentials.

### False positive analysis

- A legitimate bootstrap, login, or scheduled administration script may use curl, PowerShell, or Python to query 169.254.169.254 for instance ID, public IP, or temporary role credentials during normal configuration, so verify the command line, parent process, and execution timing match expected startup or maintenance activity from an approved path.
- An approved in-house application or service may call IMDS through a shell or runtime such as java, node, or python to obtain instance-specific settings or cloud authentication at runtime, so confirm the binary or script is expected on that host and that the requests align with normal service startup behavior rather than a new interactive session or a temporary-directory executable.

### Response and remediation

- Isolate the affected instance or host from the network or move it to a containment security group, terminate active remote sessions, and preserve volatile evidence such as the running process tree, shell history, temporary scripts, and recent command output tied to the 169.254.169.254 request.
- Revoke or rotate any cloud role credentials, API keys, tokens, and application secrets that may have been exposed through IMDS, and detach or replace the instance profile or managed identity if it granted access beyond the workload’s normal needs.
- Remove the attacker’s foothold by deleting the script or binary that queried IMDS and eradicating associated persistence such as cron jobs, systemd services, rc.local changes, scheduled tasks, Run keys, WMI event subscriptions, launch agents, or modified shell startup files.
- Restore the system from a known-good image or snapshot when integrity is in doubt, validate that no unauthorized users, SSH keys, services, or startup items remain, and reset credentials for any local, domain, or service accounts used on the host.
- Escalate to incident response and cloud security immediately if IMDS returned temporary role credentials, if that role was used from unfamiliar IP addresses or regions, or if similar metadata queries are observed on multiple hosts, and expand scoping to all resources reachable by the compromised role.
- Harden the environment by enforcing IMDSv2 or the cloud provider’s strongest metadata protections, disabling metadata access where unnecessary, blocking local access to 169.254.169.254 for unapproved processes, reducing instance-role privileges, and preventing script execution from temporary or user-writable directories.
"""
references = [
    "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
    "https://www.wiz.io/blog/imds-anomaly-hunting-zero-day",
]
risk_score = 47
rule_id = "ad02da2f-443d-454c-a12e-d9e6c65831ff"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "Domain: Cloud",
    "OS: Linux",
    "OS: Windows",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Discovery",
    "Data Source: Elastic Defend",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:"network" and host.os.type:("windows" or "macos" or "linux") and
 (destination.ip:"169.254.169.254" or destination.address :"169.254.169.254") and destination.port:"80" and (
  process.name:(
    "bash" or "dash" or "sh" or "tcsh" or "tclsh" or "wish" or "csh" or "zsh" or "ksh" or "fish" or
    "mksh" or "busybox" or "ld.so" or "ld-linux-x86-64.so.2" or "bun" or "bun.exe" or "node" or "node.exe" or
    "nodejs" or "deno" or "deno.exe" or "java" or "java.exe" or "env" or "timeout" or "setsid" or "flock" or
    "curl" or "curl.exe" or "wget" or "wget.exe" or "powershell.exe" or "cmd.exe" or "pwsh.exe" or
    "wscript.exe" or  "cscript.exe" or "regsvr32.exe" or "mshta.exe" or "rundll32.exe" or "vbc.exe" or
    "msbuild.exe" or "wmic.exe" or "cmstp.exe" or "RegAsm.exe" or "installutil.exe" or "RegSvcs.exe" or
    "msxsl.exe" or "xwizard.exe" or "csc.exe" or "pwsh" or python* or perl* or ruby* or lua* or php* or
    "terminal" or "osascript" or "nohup" or .* or "javaw" or "javaw.exe"
  ) or
  process.executable:(
    ./* or /boot/* or /dev/shm/* or /run/* or /var/run/* or /tmp/* or /var/tmp/* or /var/www/* or
    /home/*/* or /root/* or /private/var/tmp/* or /var/folders/* or /Users/Shared/* or /var/root/*
  )
) and
not (
  (
    host.os.type:"macos" and
    process.name:"node"
  ) or
  (
    process.name:"Cursor Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:"com.github.Electron.helper"
  ) or
  (
    process.name:"Code Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:("com.microsoft.VSCode.helper" or "com.github.Electron.helper")
  ) or
  process.executable:/vscode/vscode-server/bin/linux-x64/*/node
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"

[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"

[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"

Stages and Predicates

Stage 1: `new_terms`

event.category:"network" and host.os.type:("windows" or "macos" or "linux") and
 (destination.ip:"169.254.169.254" or destination.address :"169.254.169.254") and destination.port:"80" and (
  process.name:(
    "bash" or "dash" or "sh" or "tcsh" or "tclsh" or "wish" or "csh" or "zsh" or "ksh" or "fish" or
    "mksh" or "busybox" or "ld.so" or "ld-linux-x86-64.so.2" or "bun" or "bun.exe" or "node" or "node.exe" or
    "nodejs" or "deno" or "deno.exe" or "java" or "java.exe" or "env" or "timeout" or "setsid" or "flock" or
    "curl" or "curl.exe" or "wget" or "wget.exe" or "powershell.exe" or "cmd.exe" or "pwsh.exe" or
    "wscript.exe" or  "cscript.exe" or "regsvr32.exe" or "mshta.exe" or "rundll32.exe" or "vbc.exe" or
    "msbuild.exe" or "wmic.exe" or "cmstp.exe" or "RegAsm.exe" or "installutil.exe" or "RegSvcs.exe" or
    "msxsl.exe" or "xwizard.exe" or "csc.exe" or "pwsh" or python* or perl* or ruby* or lua* or php* or
    "terminal" or "osascript" or "nohup" or .* or "javaw" or "javaw.exe"
  ) or
  process.executable:(
    ./* or /boot/* or /dev/shm/* or /run/* or /var/run/* or /tmp/* or /var/tmp/* or /var/www/* or
    /home/*/* or /root/* or /private/var/tmp/* or /var/folders/* or /Users/Shared/* or /var/root/*
  )
) and
not (
  (
    host.os.type:"macos" and
    process.name:"node"
  ) or
  (
    process.name:"Cursor Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:"com.github.Electron.helper"
  ) or
  (
    process.name:"Code Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:("com.microsoft.VSCode.helper" or "com.github.Electron.helper")
  ) or
  process.executable:/vscode/vscode-server/bin/linux-x64/*/node
)

New terms: host.id, process.executable
History since: now-7d

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`process.name`	eq	`node`
`process.code_signature.signing_id`	eq	`com.github.Electron.helper`
`process.code_signature.trusted`	eq	`true`
`process.name`	eq	`Cursor Helper (Plugin)`
`process.code_signature.signing_id`	in	`com.github.Electron.helper`, `com.microsoft.VSCode.helper`
`process.code_signature.trusted`	eq	`true`
`process.name`	eq	`Code Helper (Plugin)`
`process.executable`	wildcard	`/vscode/vscode-server/bin/linux-x64/*/node`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`destination.address`	eq	`169.254.169.254`
`destination.ip`	eq	`169.254.169.254` corpus 3 (elastic 2, kusto 1)
`destination.port`	eq	`80` corpus 10 (sigma 6, elastic 2, kusto 2)
`event.category`	eq	`network` corpus 12 (elastic 12)
`process.executable`	wildcard	`./` corpus 10 (elastic 10) `/Users/Shared/` corpus 4 (elastic 3, sigma 1) `/boot/` corpus 10 (elastic 10) `/dev/shm/` corpus 23 (elastic 22, sigma 1) `/home//` corpus 5 (elastic 5) `/private/var/tmp/` corpus 2 (elastic 2) `/root/` corpus 2 (elastic 2) `/run/` corpus 8 (elastic 8) `/tmp/` corpus 25 (elastic 23, sigma 2) `/var/folders/` corpus 2 (elastic 2) `/var/root/` corpus 2 (elastic 2) `/var/run/` corpus 11 (elastic 11) `/var/tmp/` corpus 24 (elastic 23, sigma 1) `/var/www/*` corpus 5 (elastic 5)
`process.name`	eq	`RegAsm.exe` corpus 11 (elastic 9, splunk 2) `RegSvcs.exe` corpus 10 (elastic 8, splunk 2) `bash` corpus 7 (elastic 7) `bun` corpus 2 (elastic 2) `bun.exe` `busybox` corpus 8 (elastic 8) `cmd.exe` corpus 77 (elastic 48, splunk 29) `cmstp.exe` corpus 10 (elastic 10) `csc.exe` corpus 4 (elastic 3, splunk 1) `cscript.exe` corpus 25 (elastic 23, splunk 2) `csh` corpus 5 (elastic 5) `curl` corpus 18 (elastic 13, splunk 5) `curl.exe` corpus 15 (elastic 12, splunk 3) `dash` corpus 7 (elastic 7) `deno` `deno.exe` corpus 2 (elastic 2) `env` corpus 2 (elastic 2) `fish` corpus 5 (elastic 5) `flock` `installutil.exe` corpus 18 (elastic 13, splunk 5) `java` corpus 3 (elastic 3) `java.exe` corpus 2 (elastic 1, splunk 1) `javaw` `javaw.exe` `ksh` corpus 6 (elastic 6) `ld-linux-x86-64.so.2` `ld.so` `mksh` `msbuild.exe` corpus 16 (elastic 13, splunk 3) `mshta.exe` corpus 31 (elastic 26, splunk 5) `msxsl.exe` corpus 9 (elastic 8, splunk 1) `node` corpus 9 (elastic 9) `node.exe` corpus 3 (elastic 3) `nodejs` `nohup` `osascript` corpus 10 (elastic 10) `powershell.exe` corpus 104 (elastic 60, splunk 44) `pwsh` `pwsh.exe` corpus 62 (elastic 33, splunk 29) `regsvr32.exe` corpus 25 (elastic 19, splunk 6) `rundll32.exe` corpus 60 (elastic 34, splunk 26) `setsid` `sh` corpus 8 (elastic 7, splunk 1) `tclsh` `tcsh` corpus 6 (elastic 6) `terminal` `timeout` `vbc.exe` corpus 3 (elastic 2, splunk 1) `wget` corpus 12 (elastic 11, splunk 1) `wget.exe` corpus 5 (elastic 5) `wish` `wmic.exe` corpus 47 (splunk 27, elastic 20) `wscript.exe` corpus 29 (elastic 28, splunk 1) `xwizard.exe` corpus 9 (elastic 9) `zsh` corpus 7 (elastic 7)
`process.name`	wildcard	`.` corpus 18 (elastic 18) `lua` corpus 15 (elastic 15) `perl` corpus 20 (elastic 20) `php` corpus 14 (elastic 14) `python` corpus 31 (elastic 31) `ruby` corpus 21 (elastic 21)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Suspicious Instance Metadata Service (IMDS) API Request

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `new_terms`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Suspicious Instance Metadata Service (IMDS) API Request

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: new_terms

Exclusions

Indicators

Stage 1: `new_terms`