Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - AGENT |
ATT&CK Tactic |
|
ATT&CK Technique |
Unsecured Credentials: Cloud Instance Metadata API (T1552.005) |
Severity |
Informational |
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process. An attacker might exploit a web vulnerability to execute this technique.
Attacker's Goals
Extract sensitive cloud tokens to access restricted resources.
Investigative actions
- Check if a web service was exploited to execute this technique.
- Check what other commands were executed.
- Check the instance profile attached to the victim machine and its permissions, to find out which resources may be affected.
Variations
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process in a Kubernetes podCloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service in a Kubernetes pod
Cloud Unusual Instance Metadata Service (IMDS) access in a Kubernetes pod
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service
Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process
Cloud Unusual internet-facing Instance Metadata Service (IMDS) access