title: Cloud Instance Metadata API (T1552.005)
id: df00tech-t1552-005
status: experimental
description: "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud providers host a metadata API at http://169.254.169.254 (AWS, Azure, GCP, DigitalOcean) or http://fd00:ec2::254 (AWS IPv6). This internal endpoint provides running instances with credentials including temporary IAM role credentials (AWS), managed identity tokens (Azure), and service account tokens (GCP). Adversaries with code execution on a VM can query this endpoint directly, or exploit Server-Side Request Forgery (SSRF) vulnerabilities in public-facing applications to retrieve cloud credentials from external networks. TeamTNT, Peirates, and Hildegard have all exploited this API. The Capital One breach involved SSRF to the metadata API."
references:
  - https://attack.mitre.org/techniques/T1552/005/
  - https://df00tech.com/detections/T1552.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Cloud agent software legitimately querying instance metadata (AWS SSM Agent, Azure Guest Agent, Google Guest Agent)"
  - "Application frameworks that read instance metadata to determine their cloud environment (AWS SDK, Azure SDK, GCP client libraries)"
  - "Container orchestration tools (Kubernetes node agents, Docker) querying instance metadata for configuration"
  - "Cloud monitoring agents (CloudWatch, Azure Monitor, Stackdriver) that collect instance metadata as part of telemetry"
  - "Instance initialization scripts (cloud-init, UserData scripts) that query metadata during VM startup"
level: high