T1552.005

Cloud Instance Metadata API

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud providers host a metadata API at http://169.254.169.254 (AWS, Azure, GCP, DigitalOcean) or http://fd00:ec2::254 (AWS IPv6). This internal endpoint provides running instances with credentials including temporary IAM role credentials (AWS), managed identity tokens (Azure), and service account tokens (GCP). Adversaries with code execution on a VM can query this endpoint directly, or exploit Server-Side Request Forgery (SSRF) vulnerabilities in public-facing applications to retrieve cloud credentials from external networks. TeamTNT, Peirates, and Hildegard have all exploited this API. The Capital One breach involved SSRF to the metadata API.

Microsoft Sentinel / Defender

kusto

// Detect Cloud Instance Metadata API access
let MetadataEndpoints = dynamic(["169.254.169.254", "fd00:ec2::254", "metadata.google.internal"]);
// Pattern 1: Network connections to metadata API IP
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIP in (MetadataEndpoints) or RemoteUrl has "169.254.169.254"
| where InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "WindowsAzureGuestAgent.exe",
                                         "WaAppAgent.exe", "aws-cfn-bootstrap", "cloud-init",
                                         "amazon-ssm-agent", "google_guest_agent")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl
| union (
    // Pattern 2: Process command lines querying metadata API
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (
        "169.254.169.254",
        "metadata/instance", "metadata/v1", "meta-data",
        "latest/meta-data", "latest/dynamic",
        "instance-identity", "iam/security-credentials",
        "computeMetadata", "metadata.google.internal",
        "imds.azure.com"
      )
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Cloud agent software legitimately querying instance metadata (AWS SSM Agent, Azure Guest Agent, Google Guest Agent)
Application frameworks that read instance metadata to determine their cloud environment (AWS SDK, Azure SDK, GCP client libraries)
Container orchestration tools (Kubernetes node agents, Docker) querying instance metadata for configuration
Cloud monitoring agents (CloudWatch, Azure Monitor, Stackdriver) that collect instance metadata as part of telemetry
Instance initialization scripts (cloud-init, UserData scripts) that query metadata during VM startup

Elastic Security (EQL)

eql

any where
(
  // Pattern 1: Network connections to metadata API endpoints
  (
    event.category == "network" and
    (
      destination.ip == "169.254.169.254" or
      destination.address == "169.254.169.254" or
      url.domain == "metadata.google.internal" or
      destination.address == "fd00:ec2::254"
    ) and
    not process.name in~ ("AzureGuestAgent.exe", "WindowsAzureGuestAgent.exe", "WaAppAgent.exe",
                           "aws-cfn-bootstrap", "cloud-init", "amazon-ssm-agent",
                           "google_guest_agent", "waagent")
  )
  or
  // Pattern 2: Process execution with metadata API strings in args
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.args : "*169.254.169.254*" or
      process.command_line : "*169.254.169.254*" or
      process.command_line : "*metadata/instance*" or
      process.command_line : "*iam/security-credentials*" or
      process.command_line : "*latest/meta-data*" or
      process.command_line : "*latest/dynamic*" or
      process.command_line : "*instance-identity*" or
      process.command_line : "*computeMetadata*" or
      process.command_line : "*metadata.google.internal*" or
      process.command_line : "*imds.azure.com*" or
      process.command_line : "*metadata/v1*"
    ) and
    not process.name in~ ("aws-cfn-bootstrap", "cloud-init", "amazon-ssm-agent",
                           "google_guest_agent", "waagent", "AzureGuestAgent.exe")
  )
)

high severity high confidence

Data Sources

Elastic Agent (Endpoint Security) Auditbeat Winlogbeat with Sysmon Packetbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* auditbeat-* winlogbeat-*

False Positives

Legitimate cloud management agents (AzureGuestAgent, amazon-ssm-agent, google_guest_agent, cloud-init) querying IMDS for normal operation — these are whitelisted but custom agents may also legitimately access IMDS
DevOps tooling such as Terraform, Packer, Ansible, or Chef running on cloud instances that retrieve metadata for provisioning or configuration management purposes
Custom application health check scripts or monitoring agents that query instance metadata to retrieve region, instance ID, or other non-credential metadata for logging or configuration

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS Category,
  "processname",
  "CommandLine",
  LOGSOURCENAME(logsourceid) AS LogSource,
  magnitude
FROM events
WHERE
  starttime > NOW() - 86400000
  AND
  (
    -- Pattern 1: Network connections to metadata IP
    (
      destinationip = '169.254.169.254'
      AND "processname" NOT ILIKE '%AzureGuestAgent%'
      AND "processname" NOT ILIKE '%amazon-ssm-agent%'
      AND "processname" NOT ILIKE '%google_guest_agent%'
      AND "processname" NOT ILIKE '%cloud-init%'
      AND "processname" NOT ILIKE '%waagent%'
    )
    OR
    -- Pattern 2: Process command lines with metadata API patterns
    (
      (
        "CommandLine" ILIKE '%169.254.169.254%'
        OR "CommandLine" ILIKE '%metadata/instance%'
        OR "CommandLine" ILIKE '%iam/security-credentials%'
        OR "CommandLine" ILIKE '%latest/meta-data%'
        OR "CommandLine" ILIKE '%latest/dynamic%'
        OR "CommandLine" ILIKE '%instance-identity%'
        OR "CommandLine" ILIKE '%computeMetadata%'
        OR "CommandLine" ILIKE '%metadata.google.internal%'
        OR "CommandLine" ILIKE '%imds.azure.com%'
      )
      AND "CommandLine" NOT ILIKE '%aws-cfn-bootstrap%'
      AND "CommandLine" NOT ILIKE '%cloud-init%'
      AND "CommandLine" NOT ILIKE '%amazon-ssm%'
      AND "CommandLine" NOT ILIKE '%google_guest_agent%'
      AND "CommandLine" NOT ILIKE '%waagent%'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar Network Activity (flows) Linux Audit logs via Syslog DSM Windows Security Events via WinCollect AWS CloudTrail via Amazon AWS CloudTrail DSM

Required Tables

events

False Positives

Cloud-native services and deployment agents (SSM Agent, Azure Guest Agent, Google Guest Agent) that regularly poll the metadata service for configuration updates and credential rotation
Infrastructure-as-code tools (Terraform, AWS CDK, Pulumi) executing plans on cloud instances that query metadata to resolve provider credentials or region configuration
Container orchestration agents (kubelet, ECS agent, containerd-shim) on cloud VMs that access IMDS to retrieve node identity or cluster join tokens during provisioning

Sumo Logic CSE

sql

// Cloud Instance Metadata API Access Detection
// Pattern 1: Network connections and syslog references to metadata IP
(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*audit* OR _sourceCategory=*aws* OR _sourceCategory=*cloud*)
(
  "169.254.169.254" OR "metadata.google.internal" OR "imds.azure.com" OR
  "iam/security-credentials" OR "computeMetadata" OR "latest/meta-data" OR
  "instance-identity" OR "metadata/instance"
)
| where !(_raw matches "(?i)(AzureGuestAgent|WindowsAzureGuestAgent|WaAppAgent|amazon-ssm|google_guest_agent|cloud-init|waagent|aws-cfn-bootstrap)")
| parse regex "(?<ProcessName>[\w/.-]+)(?:\[\d+\])?:" nodrop
| parse regex "(?:cmd|command|CommandLine)[=:\s]+(?<CommandLine>[^\n]{10,200})" nodrop
| parse regex "(?:src|sip|sourceip)[=:\s]+(?<SourceIP>[\d.]+)" nodrop
| parse regex "(?:dst|dip|destip|destinationip)[=:\s]+(?<DestinationIP>[\d.]+)" nodrop
| if (DestinationIP = "169.254.169.254", "NetworkAccess",
     if (CommandLine matches "*iam/security-credentials*", "CredentialAccess",
         if (CommandLine matches "*instance-identity*", "IdentityAccess", "MetadataAccess"))) as AlertType
| count as EventCount by _messageTime, _sourceHost, ProcessName, CommandLine, DestinationIP, AlertType
| where EventCount > 0
| sort by _messageTime desc

high severity medium confidence

Data Sources

Linux Syslog via Sumo Logic Installed Collector Linux Audit (auditd) via Sumo Logic Collector AWS CloudTrail via Sumo Logic AWS integration Sumo Logic Cloud SIEM (CSE) normalized events

Required Tables

_sourceCategory=*linux* _sourceCategory=*syslog* _sourceCategory=*audit* _sourceCategory=*aws*

False Positives

Automated cloud instance bootstrapping processes (cloud-init, cfn-init, userdata scripts) that query metadata during VM initialization for configuration and credential setup
Container runtime agents and service meshes (Istio, Envoy, Linkerd) deployed on cloud VMs that use IMDS to acquire workload identity certificates or rotate service account tokens
Security and compliance scanning tools (AWS Inspector, Qualys, Rapid7) installed on cloud hosts that query instance metadata as part of their asset inventory or vulnerability assessment workflows

Google Chronicle / SecOps

yaral

rule cloud_instance_metadata_api_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects access to Cloud Instance Metadata API (IMDS) via network connections or process command lines. Covers AWS (169.254.169.254, fd00:ec2::254), Azure (imds.azure.com), and GCP (metadata.google.internal). Maps to MITRE ATT&CK T1552.005."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.005"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Pattern 1: Network connection to metadata IP
      (
        $e.metadata.event_type = "NETWORK_CONNECTION"
        and (
          $e.target.ip = "169.254.169.254"
          or $e.target.hostname = "metadata.google.internal"
          or $e.target.hostname = "imds.azure.com"
        )
        and not re.regex($e.principal.process.file.full_path,
          `(?i)(AzureGuestAgent|WindowsAzureGuestAgent|WaAppAgent|amazon-ssm-agent|google_guest_agent|cloud-init|waagent|aws-cfn-bootstrap)`)
      )
      or
      // Pattern 2: Process execution with metadata API strings
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.target.process.command_line, `169\.254\.169\.254`) or
          re.regex($e.target.process.command_line, `(?i)metadata/instance`) or
          re.regex($e.target.process.command_line, `(?i)iam/security-credentials`) or
          re.regex($e.target.process.command_line, `(?i)latest/meta-data`) or
          re.regex($e.target.process.command_line, `(?i)latest/dynamic`) or
          re.regex($e.target.process.command_line, `(?i)instance-identity`) or
          re.regex($e.target.process.command_line, `(?i)computeMetadata`) or
          re.regex($e.target.process.command_line, `(?i)metadata\.google\.internal`) or
          re.regex($e.target.process.command_line, `(?i)imds\.azure\.com`)
        )
        and not re.regex($e.target.process.command_line,
          `(?i)(aws-cfn-bootstrap|cloud-init|amazon-ssm|google_guest_agent|waagent|AzureGuestAgent)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Ingestion API — Linux/Windows EDR telemetry Chronicle Google Cloud ingestion (GCP audit logs) Chronicle AWS S3 log ingestion (CloudTrail, VPC Flow Logs)

Required Tables

UDM Events (NETWORK_CONNECTION) UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate workload identity federation flows where applications running on GCP Compute Engine or AWS EC2 acquire short-lived credentials through IMDS as part of normal SDK authentication
Cloud-native monitoring agents (Datadog, New Relic, Dynatrace, CloudWatch Agent) installed on instances that query IMDS to enrich telemetry with instance ID, region, and account metadata
CI/CD pipeline runners (GitLab Runner, GitHub Actions self-hosted, Jenkins agents) deployed on cloud VMs that use IMDS credentials to authenticate with cloud APIs during build and deployment jobs

CrowdStrike LogScale (CQL)

cql

// Cloud Instance Metadata API Access Detection — CrowdStrike LogScale (CQL)
// Pattern 1: Network connections to metadata endpoint IP
#event_simpleName = NetworkConnectIP4
| ipv4Destination = "169.254.169.254"
| ImageFileName = /(?i)^(?!.*(AzureGuestAgent|WindowsAzureGuestAgent|WaAppAgent|amazon-ssm-agent|google_guest_agent|cloud-init|waagent|aws-cfn-bootstrap)).*/
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ContextBaseFileName, ipv4Destination, RemotePort])

// Pattern 2: Process events with metadata API command line patterns
| union {
  #event_simpleName = ProcessRollup2
  | CommandLine = /(?i)(169\.254\.169\.254|metadata\/instance|iam\/security-credentials|latest\/meta-data|latest\/dynamic|instance-identity|computeMetadata|metadata\.google\.internal|imds\.azure\.com|metadata\/v1)/
  | CommandLine != /(?i)(aws-cfn-bootstrap|cloud-init|amazon-ssm|google_guest_agent|waagent|AzureGuestAgent)/
  | table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SHA256HashData])
}

// Pattern 3: DNS requests resolving metadata hostnames
| union {
  #event_simpleName = DnsRequest
  | DomainName = /(?i)(metadata\.google\.internal|imds\.azure\.com)/
  | ContextBaseFileName != /(?i)(AzureGuestAgent|amazon-ssm-agent|google_guest_agent|cloud-init)/
  | table([@timestamp, ComputerName, UserName, ContextBaseFileName, DomainName, RequestType])
}

| sort(@timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon Event Stream — ProcessRollup2 Falcon Event Stream — NetworkConnectIP4 Falcon Event Stream — DnsRequest

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

HashiCorp Vault agent running on cloud VMs using AWS/Azure/GCP auth methods that query IMDS to obtain a signed identity document for Vault authentication during secrets retrieval
Kubernetes node bootstrap processes (kubelet, kube-proxy, cloud-controller-manager) on managed cloud Kubernetes nodes that use IMDS to retrieve node identity and cluster configuration
Serverless function runtimes and container-on-VM workloads (AWS Fargate on EC2, Azure Container Instances) where the container runtime itself legitimately queries the underlying host's IMDS for execution environment metadata

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1552.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In Files T1552.002Credentials in Registry T1552.003Bash History T1552.004Private Keys T1552.006Group Policy Preferences T1552.007Container API T1552.008Chat Messages

Cloud Instance Metadata API

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections