Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Variations
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process
Synopsis
Description
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.
This process does not usually access the Instance Metadata Service.
An attacker may extract cloud compute tokens to gain access to a cloud environment.
Attacker's Goals
Extract sensitive cloud compute tokens to access restricted cloud resources.
Investigative actions
- Determine whether a web service was involved and if it was exploited to execute this technique.
- Identify any additional commands that were executed.
- Review the permissions assigned to the target machine to identify which resources may be affected.
- Examine related compute activity in the cloud audit logs.