EXPLORE

← Back to Explore

T1552.005

Cloud Instance Metadata API

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additio...

IaaS

11

Detections

2

Sources

1

Threat Actors

BY SOURCE

10elastic1splunk_escu

PROCEDURES (7)

Unusual4 detections

Auto-extracted: 4 detections for unusual

Azure2 detections

Auto-extracted: 2 detections for azure

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Api1 detections

Auto-extracted: 1 detections for api

C21 detections

Auto-extracted: 1 detections for c2

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (1)

DETECTIONS (11)

AWS EC2 Instance Console Login via Assumed Role

AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role

AWS EC2 User Data Retrieval for EC2 Instance

Azure Event Hub Authorization Rule Created or Updated

Azure Storage Account Key Regenerated

Cisco Isovalent - Access To Cloud Metadata Service

Unusual Instance Metadata Service (IMDS) API Request

Unusual Linux Process Calling the Metadata Service

Unusual Linux User Calling the Metadata Service

Unusual Windows Process Calling the Metadata Service

Unusual Windows User Calling the Metadata Service