Cloud Instance Metadata Credential Path HTTP Request

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Cloud Instance Metadata Credential Path HTTP Request

Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.

Rule type: eql

Rule indices:

logs-network_traffic.http*
packetbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: Network
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Network Packet Capture
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Cloud Instance Metadata Credential Path HTTP Request

This rule matches outbound HTTP GETs to 169.254.169.254 where the URL path requests IAM credentials or cloud OAuth tokens, filtered to common scripting runtimes, suspicious executable paths, or tool-like user agents.

Investigation steps

Confirm url.path (AWS security-credentials, GCP oauth2/access_token, Azure metadata/identity/oauth2/token).
Review process.name, process.executable, and user_agent.original — scripted tools and temp-path binaries are higher risk.
Check host.name or host.hostname and whether the workload should run on a cloud VM with an instance profile or managed identity.
Correlate with cloud audit or sign-in logs for role assumption or token use shortly after the request.
If credentials may have been exposed, rotate the instance role or managed identity and review API activity from that principal.

False positives

Platform agents and bootstrap scripts on new instances; allowlist by user agent or host group where validated.

Response

Restrict IMDS access (IMDSv2 hop limit, network policy) and remove unnecessary instance permissions.
Investigate the host for follow-on credential use or lateral movement.

Deploy the Network Packet Capture integration via Fleet on cloud workloads.

Enable Capture HTTP Traffic and include ports 80 and 443.
Enable Monitor Processes so network events include the process that initiated the connection.
Prefer ECS field remapping (map_to_ecs) on integration data streams.

Setup

edit

Deploy the Network Packet Capture integration via Fleet on cloud workloads.

Enable Capture HTTP Traffic and include ports 80 and 443.Enable Monitor Processes so network events include the process that initiated the connection.Prefer ECS field remapping (map_to_ecs) on integration data streams.

Rule query

edit

network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
http.request.method == "GET" and url.path : (
  "/latest/meta-data/iam/security-credentials/*",
  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
  "*metadata/identity/oauth2/token*"
) and (
  ?process.name : (
    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*",
    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi",
    ".*", "osascript"
  ) or ?process.executable : (
    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
  ) or user_agent.original : (
    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
  )
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Cloud Instance Metadata API
- ID: T1552.005
- Reference URL: https://attack.mitre.org/techniques/T1552/005/

« Clearing Windows Event Logs Cobalt Strike Command and Control Beacon »