Detect Cloud Instance Metadata API in CrowdStrike LogScale
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud providers host a metadata API at http://169.254.169.254 (AWS, Azure, GCP, DigitalOcean) or http://fd00:ec2::254 (AWS IPv6). This internal endpoint provides running instances with credentials including temporary IAM role credentials (AWS), managed identity tokens (Azure), and service account tokens (GCP). Adversaries with code execution on a VM can query this endpoint directly, or exploit Server-Side Request Forgery (SSRF) vulnerabilities in public-facing applications to retrieve cloud credentials from external networks. TeamTNT, Peirates, and Hildegard have all exploited this API. The Capital One breach involved SSRF to the metadata API.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.005 Cloud Instance Metadata API
- Canonical reference
- https://attack.mitre.org/techniques/T1552/005/
LogScale Detection Query
// Cloud Instance Metadata API Access Detection — CrowdStrike LogScale (CQL)
// Pattern 1: Network connections to metadata endpoint IP
#event_simpleName = NetworkConnectIP4
| ipv4Destination = "169.254.169.254"
| ImageFileName = /(?i)^(?!.*(AzureGuestAgent|WindowsAzureGuestAgent|WaAppAgent|amazon-ssm-agent|google_guest_agent|cloud-init|waagent|aws-cfn-bootstrap)).*/
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ContextBaseFileName, ipv4Destination, RemotePort])
// Pattern 2: Process events with metadata API command line patterns
| union {
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(169\.254\.169\.254|metadata\/instance|iam\/security-credentials|latest\/meta-data|latest\/dynamic|instance-identity|computeMetadata|metadata\.google\.internal|imds\.azure\.com|metadata\/v1)/
| CommandLine != /(?i)(aws-cfn-bootstrap|cloud-init|amazon-ssm|google_guest_agent|waagent|AzureGuestAgent)/
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SHA256HashData])
}
// Pattern 3: DNS requests resolving metadata hostnames
| union {
#event_simpleName = DnsRequest
| DomainName = /(?i)(metadata\.google\.internal|imds\.azure\.com)/
| ContextBaseFileName != /(?i)(AzureGuestAgent|amazon-ssm-agent|google_guest_agent|cloud-init)/
| table([@timestamp, ComputerName, UserName, ContextBaseFileName, DomainName, RequestType])
}
| sort(@timestamp, order=desc, limit=500)CrowdStrike LogScale (CQL) query detecting Cloud Instance Metadata API access using Falcon telemetry. Covers three patterns: direct network connections to 169.254.169.254 (NetworkConnectIP4), process launches with IMDS command line patterns (ProcessRollup2), and DNS resolutions of metadata hostnames (DnsRequest). Excludes known cloud management agent processes.
Data Sources
Required Tables
False Positives & Tuning
- HashiCorp Vault agent running on cloud VMs using AWS/Azure/GCP auth methods that query IMDS to obtain a signed identity document for Vault authentication during secrets retrieval
- Kubernetes node bootstrap processes (kubelet, kube-proxy, cloud-controller-manager) on managed cloud Kubernetes nodes that use IMDS to retrieve node identity and cluster configuration
- Serverless function runtimes and container-on-VM workloads (AWS Fargate on EC2, Azure Container Instances) where the container runtime itself legitimately queries the underlying host's IMDS for execution environment metadata
Other platforms for T1552.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query AWS Instance Metadata for IAM Credentials
Expected signal: Linux auditd EXECVE records for curl with 169.254.169.254 metadata URLs. CONNECT syscall to 169.254.169.254:80. Network connection visible in /proc/net/tcp. AWS access logs would capture this if instance metadata logging is enabled.
- Test 2Query Azure IMDS for Managed Identity Token
Expected signal: Linux auditd EXECVE for curl with 169.254.169.254 and metadata/identity in args. HTTP connection to 169.254.169.254. Response contains access_token, token_type, expires_in fields.
- Test 3Query GCP Instance Metadata for Service Account Token
Expected signal: Linux auditd EXECVE for curl with metadata.google.internal URL. DNS resolution for metadata.google.internal (resolves to 169.254.169.254). Network connection to 169.254.169.254:80.
- Test 4Steal Cloud Credentials via Python SSRF Simulation
Expected signal: Linux auditd EXECVE for python3 with 169.254.169.254 URL in command. CONNECT syscall from python3 to 169.254.169.254. Unexpected process (python3) accessing metadata API.
References (8)
- https://attack.mitre.org/techniques/T1552/005/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service
- https://cloud.google.com/compute/docs/metadata/overview
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md
- https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
- https://blog.trendmicro.com/trendlabs-security-intelligence/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Unlock Pro Content
Get the full detection package for T1552.005 including response playbook, investigation guide, and atomic red team tests.