22creation_date = " 2024/08/22"
33integration = [" endpoint"
44maturity = " production"
5- updated_date = " 2025/02/04 "
5+ updated_date = " 2025/09/29 "
66
77[rule ]
88author = [" Elastic"
@@ -17,60 +17,6 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
1717language = " eql"
1818license = " Elastic License v2"
1919name = " Unusual Instance Metadata Service (IMDS) API Request"
20- references = [" https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"
21- risk_score = 47
22- rule_id = " ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
23- severity = " medium"
24- tags = [
25- " Domain: Endpoint"
26- " OS: Linux"
27- " Use Case: Threat Detection"
28- " Tactic: Credential Access"
29- " Tactic: Discovery"
30- " Data Source: Elastic Defend"
31- " Resources: Investigation Guide"
32- ]
33- type = " eql"
34-
35- query = '''
36- sequence by host.id, process.parent.entity_id with maxspan=1s
37- [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
38- process.parent.executable != null and
39- (
40- process.name : (
41- "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
42- "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
43- ) or
44- process.executable : (
45- "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
46- "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
47- ) or
48- process.command_line: "*169.254.169.254*"
49- )
50- and not process.working_directory: (
51- "/opt/rapid7*",
52- "/opt/nessus*",
53- "/snap/amazon-ssm-agent*",
54- "/var/snap/amazon-ssm-agent/*",
55- "/var/log/amazon/ssm/*",
56- "/srv/snp/docker/overlay2*",
57- "/opt/nessus_agent/var/nessus/*")
58- and not process.executable: (
59- "/opt/rumble/bin/rumble-agent*",
60- "/opt/aws/inspector/bin/inspectorssmplugin",
61- "/snap/oracle-cloud-agent/*",
62- "/lusr/libexec/oracle-cloud-agent/*")
63- and not process.parent.executable: (
64- "/usr/bin/setup-policy-routes",
65- "/usr/share/ec2-instance-connect/*",
66- "/var/lib/amazon/ssm/*",
67- "/etc/update-motd.d/30-banner",
68- "/usr/sbin/dhclient-script",
69- "/usr/local/bin/uwsgi",
70- "/usr/lib/skylight/al-extras")
71- ]
72- [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
73- '''
7420note = """ ## Triage and analysis
7521
7622> **Disclaimer**:
@@ -105,6 +51,133 @@ The Instance Metadata Service (IMDS) API provides essential instance-specific da
10551- Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected.
10652- Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations.
10753- Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks."""
54+ references = [
55+ " https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"
56+ " https://www.wiz.io/blog/imds-anomaly-hunting-zero-day"
57+ ]
58+ risk_score = 47
59+ rule_id = " ecc0cd54-608e-11ef-ab6d-f661ea17fbce"
60+ severity = " medium"
61+ tags = [
62+ " Domain: Endpoint"
63+ " Domain: Cloud"
64+ " OS: Linux"
65+ " Use Case: Threat Detection"
66+ " Tactic: Credential Access"
67+ " Tactic: Discovery"
68+ " Data Source: Elastic Defend"
69+ " Resources: Investigation Guide"
70+ ]
71+ type = " eql"
72+
73+ query = '''
74+ sequence by host.id, process.parent.entity_id with maxspan=3s
75+ [
76+ process
77+ where host.os.type == "linux"
78+ and event.type == "start"
79+ and event.action == "exec"
80+ and process.parent.executable != null
81+
82+ // common tooling / suspicious names (keep broad)
83+ and (
84+ process.name : (
85+ "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
86+ "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node",
87+ "bash", "sh"
88+ )
89+ or
90+ // suspicious execution locations (dropped binaries / temp execution)
91+ process.executable : (
92+ "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
93+ "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
94+ )
95+ or
96+ // threat-relevant IMDS / metadata endpoints (inclusion list)
97+ process.command_line : (
98+ "*169.254.169.254/latest/api/token*",
99+ "*169.254.169.254/latest/meta-data/iam/security-credentials*",
100+ "*169.254.169.254/latest/meta-data/local-ipv4*",
101+ "*169.254.169.254/latest/meta-data/local-hostname*",
102+ "*169.254.169.254/latest/meta-data/public-ipv4*",
103+ "*169.254.169.254/latest/user-data*",
104+ "*169.254.169.254/latest/dynamic/instance-identity/document*",
105+ "*169.254.169.254/latest/meta-data/instance-id*",
106+ "*169.254.169.254/latest/meta-data/public-keys*",
107+ "*computeMetadata/v1/instance/service-accounts/*/token*",
108+ "*/metadata/identity/oauth2/token*",
109+ "*169.254.169.254/opc/v*/instance*",
110+ "*169.254.169.254/opc/v*/vnics*"
111+ )
112+ )
113+
114+ // global working-dir / executable / parent exclusions for known benign agents
115+ and not process.working_directory : (
116+ "/opt/rapid7*",
117+ "/opt/nessus*",
118+ "/snap/amazon-ssm-agent*",
119+ "/var/snap/amazon-ssm-agent/*",
120+ "/var/log/amazon/ssm/*",
121+ "/srv/snp/docker/overlay2*",
122+ "/opt/nessus_agent/var/nessus/*"
123+ )
124+
125+ and not process.executable : (
126+ "/opt/rumble/bin/rumble-agent*",
127+ "/opt/aws/inspector/bin/inspectorssmplugin",
128+ "/snap/oracle-cloud-agent/*",
129+ "/lusr/libexec/oracle-cloud-agent/*"
130+ )
131+
132+ and not process.parent.executable : (
133+ "/usr/bin/setup-policy-routes",
134+ "/usr/share/ec2-instance-connect/*",
135+ "/var/lib/amazon/ssm/*",
136+ "/etc/update-motd.d/30-banner",
137+ "/usr/sbin/dhclient-script",
138+ "/usr/local/bin/uwsgi",
139+ "/usr/lib/skylight/al-extras",
140+ "/usr/bin/cloud-init",
141+ "/usr/sbin/waagent",
142+ "/usr/bin/google_osconfig_agent",
143+ "/usr/bin/docker",
144+ "/usr/bin/containerd-shim",
145+ "/usr/bin/runc"
146+ )
147+
148+ and not process.entry_leader.executable : (
149+ "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent",
150+ "/opt/Elastic/Agent/data/elastic-agent-*/elastic-agent",
151+ "/opt/nessus_agent/sbin/nessus-service"
152+ )
153+
154+ // carve-out: safe /usr/bin/curl usage (suppress noisy, legitimate agent patterns)
155+ and not (
156+ process.executable == "/usr/bin/curl"
157+ and (
158+ // AWS IMDSv2 token PUT that includes ttl header
159+ (process.command_line : "*-X PUT*169.254.169.254/latest/api/token*" and process.command_line : "*X-aws-ec2-metadata-token-ttl-seconds*")
160+ or
161+ // Any IMDSv2 GET that includes token header for any /latest/* path
162+ process.command_line : "*-H X-aws-ec2-metadata-token:*169.254.169.254/latest/*"
163+ or
164+ // Common amazon tooling UA
165+ process.command_line : "*-A amazon-ec2-net-utils/*"
166+ or
167+ // Azure metadata legitimate header
168+ process.command_line : "*-H Metadata:true*169.254.169.254/metadata/*"
169+ or
170+ // Oracle IMDS legitimate header
171+ process.command_line : "*-H Authorization:*Oracle*169.254.169.254/opc/*"
172+ )
173+ )
174+ ]
175+ [
176+ network where host.os.type == "linux"
177+ and event.action == "connection_attempted"
178+ and destination.ip == "169.254.169.254"
179+ ]
180+ '''
108181
109182
110183[[rule .threat ]]
0 commit comments