T1552.005 Cloud Instance Metadata API Mappings

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1552.005 Cloud Instance Metadata API
AC-20 Use of External Systems Protects T1552.005 Cloud Instance Metadata API
AC-3 Access Enforcement Protects T1552.005 Cloud Instance Metadata API
AC-4 Information Flow Enforcement Protects T1552.005 Cloud Instance Metadata API
CA-7 Continuous Monitoring Protects T1552.005 Cloud Instance Metadata API
CM-6 Configuration Settings Protects T1552.005 Cloud Instance Metadata API
CM-7 Least Functionality Protects T1552.005 Cloud Instance Metadata API
IA-3 Device Identification and Authentication Protects T1552.005 Cloud Instance Metadata API
IA-4 Identifier Management Protects T1552.005 Cloud Instance Metadata API
SC-7 Boundary Protection Protects T1552.005 Cloud Instance Metadata API
SI-10 Information Input Validation Protects T1552.005 Cloud Instance Metadata API
SI-15 Information Output Filtering Protects T1552.005 Cloud Instance Metadata API
SI-4 System Monitoring Protects T1552.005 Cloud Instance Metadata API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.005 Unsecured Credentials: Cloud Instance Metadata API
aws_config AWS Config technique_scores T1552.005 Cloud Instance Metadata API
Comments
The "ec2-imdsv2-check" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial.
References
    amazon_guardduty Amazon GuardDuty technique_scores T1552.005 Cloud Instance Metadata API
    Comments
    The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.
    References