Unusual cloud Instance Metadata Service (IMDS) access

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-02-02
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Cloud

Detector Tags

Kubernetes - AGENT

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Informational

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.

Attacker's Goals

Extract sensitive cloud compute tokens to access restricted cloud resources.

Investigative actions

  • Determine whether a web service was involved and if it was exploited to execute this technique.
  • Identify any additional commands that were executed.
  • Review the permissions assigned to the target machine to identify which resources may be affected.
  • Examine related compute activity in the cloud audit logs.

Variations

Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Medium

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.

Attacker's Goals

Extract sensitive cloud compute tokens to access restricted cloud resources.

Investigative actions

  • Determine whether a web service was involved and if it was exploited to execute this technique.
  • Identify any additional commands that were executed.
  • Review the permissions assigned to the target machine to identify which resources may be affected.
  • Examine related compute activity in the cloud audit logs.


Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Medium

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.

Attacker's Goals

Extract sensitive cloud compute tokens to access restricted cloud resources.

Investigative actions

  • Determine whether a web service was involved and if it was exploited to execute this technique.
  • Identify any additional commands that were executed.
  • Review the permissions assigned to the target machine to identify which resources may be affected.
  • Examine related compute activity in the cloud audit logs.


Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Cloud Instance Metadata API (T1552.005)

Severity

Low

Description

A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.

Attacker's Goals

Extract sensitive cloud compute tokens to access restricted cloud resources.

Investigative actions

  • Determine whether a web service was involved and if it was exploited to execute this technique.
  • Identify any additional commands that were executed.
  • Review the permissions assigned to the target machine to identify which resources may be affected.
  • Examine related compute activity in the cloud audit logs.