Loading

Cloud Instance Metadata Credential Path HTTP Request

Detects HTTP GET requests to the link-local instance metadata service (169.254.169.254) for cloud credential or token paths on AWS, GCP, or Azure. Adversaries and vulnerable workloads use scripts, shells, or application runtimes to read IAM role credentials or OAuth tokens from the metadata API. Requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment enabled so "process.*" fields are present.

Rule type: eql
Rule indices:

  • logs-network_traffic.http*
  • packetbeat-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: Network
  • OS: Linux
  • OS: Windows
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Data Source: Network Packet Capture
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule matches outbound HTTP GETs to 169.254.169.254 where the URL path requests IAM credentials or cloud OAuth tokens, filtered to common scripting runtimes, suspicious executable paths, or tool-like user agents.

  • Confirm url.path (AWS security-credentials, GCP oauth2/access_token, Azure metadata/identity/oauth2/token).
  • Review process.name, process.executable, and user_agent.original — scripted tools and temp-path binaries are higher risk.
  • Check host.name or host.hostname and whether the workload should run on a cloud VM with an instance profile or managed identity.
  • Correlate with cloud audit or sign-in logs for role assumption or token use shortly after the request.
  • If credentials may have been exposed, rotate the instance role or managed identity and review API activity from that principal.
  • Platform agents and bootstrap scripts on new instances; allowlist by user agent or host group where validated.
  • Restrict IMDS access (IMDSv2 hop limit, network policy) and remove unnecessary instance permissions.
  • Investigate the host for follow-on credential use or lateral movement.

Deploy the Network Packet Capture integration via Fleet on cloud workloads.

  • Enable Capture HTTP Traffic and include ports 80 and 443.
  • Enable Monitor Processes so network events include the process that initiated the connection.
  • Prefer ECS field remapping (map_to_ecs) on integration data streams.
network where event.module == "network_traffic" and destination.ip == "169.254.169.254" and destination.port == 80 and
http.request.method == "GET" and url.path : (
  "/latest/meta-data/iam/security-credentials/*",
  "*computeMetadata/v1/instance/service-accounts/*/oauth2/access_token*",
  "*metadata/identity/oauth2/token*"
) and (
  ?process.name : (
    "curl", "wget", "python*", "node", "bun", "php*", "ruby", "perl", "bash", "dash", "sh", "tcsh", "tclsh", "wish",
    "csh", "zsh", "ksh", "fish", "mksh", "busybox",
    "bun.exe", "node.exe", "powershell.exe", "cmd.exe", "curl.exe", "wget.exe", "rundll32.exe", "w3wp.exe", "java*",
    "go", "nc", "netcat", "nginx", "apache*", "httpd", "tomcat*", "catalina", "spring*", "dotnet", "gunicorn", "uwsgi",
    ".*", "osascript"
  ) or ?process.executable : (
    "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*/*", "/var/run/*", "/run/*", "/boot/*", "/.*", "C:\\Users\\*", "?:\\ProgramData\\*"
  ) or user_agent.original : (
    "curl*", "wget*", "python*", "ruby*", "Go-http-client*", "node*", "axios*", "undici*", "java*", "php*", "Bun*",
    "Apache-HttpClient*", "okhttp*", "RestTemplate*", "*WindowsPowerShell*", "*roadtools*", "*fasthttp*", "*azurehound*", "*bloodhound*", "*aiohttp*"
  )
)

Framework: MITRE ATT&CK