Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Variations
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process in a Kubernetes pod
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service in a Kubernetes pod
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Cloud Unusual Instance Metadata Service (IMDS) access in a Kubernetes pod
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Cloud Unusual internet-facing Instance Metadata Service (IMDS) access
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.