Cloud Unusual Instance Metadata Service (IMDS) access

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Cloud

Detector Tags

Kubernetes - AGENT

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Informational

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.

Variations

Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process in a Kubernetes pod

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.


Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service in a Kubernetes pod

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.


Cloud Unusual Instance Metadata Service (IMDS) access in a Kubernetes pod

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Informational

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.


Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.


Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.


Cloud Unusual internet-facing Instance Metadata Service (IMDS) access

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.

Attacker's Goals

Extract sensitive cloud tokens to access restricted resources.

Investigative actions

  • Check if a web service was exploited to execute this technique.
  • Check what other commands were executed.
  • Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.