T1552.005 Sumo Logic CSE · Sumo

Detect Cloud Instance Metadata API in Sumo Logic CSE

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud providers host a metadata API at http://169.254.169.254 (AWS, Azure, GCP, DigitalOcean) or http://fd00:ec2::254 (AWS IPv6). This internal endpoint provides running instances with credentials including temporary IAM role credentials (AWS), managed identity tokens (Azure), and service account tokens (GCP). Adversaries with code execution on a VM can query this endpoint directly, or exploit Server-Side Request Forgery (SSRF) vulnerabilities in public-facing applications to retrieve cloud credentials from external networks. TeamTNT, Peirates, and Hildegard have all exploited this API. The Capital One breach involved SSRF to the metadata API.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.005 Cloud Instance Metadata API
Canonical reference
https://attack.mitre.org/techniques/T1552/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Cloud Instance Metadata API Access Detection
// Pattern 1: Network connections and syslog references to metadata IP
(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*audit* OR _sourceCategory=*aws* OR _sourceCategory=*cloud*)
(
  "169.254.169.254" OR "metadata.google.internal" OR "imds.azure.com" OR
  "iam/security-credentials" OR "computeMetadata" OR "latest/meta-data" OR
  "instance-identity" OR "metadata/instance"
)
| where !(_raw matches "(?i)(AzureGuestAgent|WindowsAzureGuestAgent|WaAppAgent|amazon-ssm|google_guest_agent|cloud-init|waagent|aws-cfn-bootstrap)")
| parse regex "(?<ProcessName>[\w/.-]+)(?:\[\d+\])?:" nodrop
| parse regex "(?:cmd|command|CommandLine)[=:\s]+(?<CommandLine>[^\n]{10,200})" nodrop
| parse regex "(?:src|sip|sourceip)[=:\s]+(?<SourceIP>[\d.]+)" nodrop
| parse regex "(?:dst|dip|destip|destinationip)[=:\s]+(?<DestinationIP>[\d.]+)" nodrop
| if (DestinationIP = "169.254.169.254", "NetworkAccess",
     if (CommandLine matches "*iam/security-credentials*", "CredentialAccess",
         if (CommandLine matches "*instance-identity*", "IdentityAccess", "MetadataAccess"))) as AlertType
| count as EventCount by _messageTime, _sourceHost, ProcessName, CommandLine, DestinationIP, AlertType
| where EventCount > 0
| sort by _messageTime desc
high severity medium confidence

Sumo Logic query detecting Cloud Instance Metadata API (IMDS) access across Linux audit logs, syslogs, and cloud-native sources. Identifies both network-level connections to 169.254.169.254 and process command lines querying AWS, Azure, and GCP metadata endpoints. Classifies findings by access type.

Data Sources

Linux Syslog via Sumo Logic Installed CollectorLinux Audit (auditd) via Sumo Logic CollectorAWS CloudTrail via Sumo Logic AWS integrationSumo Logic Cloud SIEM (CSE) normalized events

Required Tables

_sourceCategory=*linux*_sourceCategory=*syslog*_sourceCategory=*audit*_sourceCategory=*aws*

False Positives & Tuning

  • Automated cloud instance bootstrapping processes (cloud-init, cfn-init, userdata scripts) that query metadata during VM initialization for configuration and credential setup
  • Container runtime agents and service meshes (Istio, Envoy, Linkerd) deployed on cloud VMs that use IMDS to acquire workload identity certificates or rotate service account tokens
  • Security and compliance scanning tools (AWS Inspector, Qualys, Rapid7) installed on cloud hosts that query instance metadata as part of their asset inventory or vulnerability assessment workflows
Download portable Sigma rule (.yml)

Other platforms for T1552.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query AWS Instance Metadata for IAM Credentials

    Expected signal: Linux auditd EXECVE records for curl with 169.254.169.254 metadata URLs. CONNECT syscall to 169.254.169.254:80. Network connection visible in /proc/net/tcp. AWS access logs would capture this if instance metadata logging is enabled.

  2. Test 2Query Azure IMDS for Managed Identity Token

    Expected signal: Linux auditd EXECVE for curl with 169.254.169.254 and metadata/identity in args. HTTP connection to 169.254.169.254. Response contains access_token, token_type, expires_in fields.

  3. Test 3Query GCP Instance Metadata for Service Account Token

    Expected signal: Linux auditd EXECVE for curl with metadata.google.internal URL. DNS resolution for metadata.google.internal (resolves to 169.254.169.254). Network connection to 169.254.169.254:80.

  4. Test 4Steal Cloud Credentials via Python SSRF Simulation

    Expected signal: Linux auditd EXECVE for python3 with 169.254.169.254 URL in command. CONNECT syscall from python3 to 169.254.169.254. Unexpected process (python3) accessing metadata API.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1552.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1021.007Cloud ServicesT1190Exploit Public-Facing ApplicationT1078.004Cloud AccountsT1530Data from Cloud StorageT1580Cloud Infrastructure Discovery

Same Tactic: Credential Access

Popular Detections