{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/imds/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["credential-access","discovery","cloud","imds"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies processes making network requests to the Instance Metadata Service (IMDS) API endpoint (169.254.169.254). The IMDS API provides access to sensitive instance-specific information, including instance ID, public IP address, and temporary security credentials if roles are assumed by that instance. Attackers often exploit this service after gaining initial access to a cloud instance to escalate privileges and move laterally within the cloud environment. The rule focuses on detecting suspicious processes, scripts, or tools that are not typically associated with legitimate IMDS API requests. It covers Windows, macOS, and Linux systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a cloud instance through various means, such as exploiting a web application vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command interpreter or scripting engine (e.g., bash, PowerShell, python) on the compromised instance.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses the command interpreter or scripting engine to make a network request to the IMDS API endpoint (169.254.169.254) on port 80.\u003c/li\u003e\n\u003cli\u003eCredential Access: The IMDS API provides the attacker with instance metadata, including temporary security credentials associated with the instance\u0026rsquo;s IAM role.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker uses the acquired credentials to escalate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the escalated privileges to move laterally to other cloud resources, such as storage, secrets, or other instances.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the IMDS API can lead to the compromise of sensitive cloud resources. Attackers can steal credentials, escalate privileges, and move laterally within the cloud environment, potentially causing significant damage, data breaches, or service disruptions. The number of victims and sectors targeted varies depending on the specific campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IMDS API Request via Common Tools\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IMDS API Request from Unusual Locations\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eBlock the IMDS API endpoint (169.254.169.254) at the network level for processes that do not require it, as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eReview and harden instance IAM roles to limit the scope of credentials exposed through IMDS, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eEnforce IMDSv2, the more secure version of the IMDS API, as a preventative measure.\u003c/li\u003e\n\u003cli\u003eMonitor cloud control-plane telemetry for suspicious use of instance role credentials or managed identity tokens.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by access to the IMDS API endpoint (169.254.169.254).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T10:02:28Z","date_published":"2026-05-27T10:02:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-request/","summary":"This rule detects suspicious network activity from tools or scripts attempting to access the cloud service provider's Instance Metadata Service (IMDS) API endpoint, potentially retrieving sensitive instance-specific information and credentials.","title":"Suspicious Instance Metadata Service (IMDS) API Request","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-request/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender XDR","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["credential-access","cloud","imds"],"_cs_type":"threat","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies command-line activity that attempts to query a cloud instance\u0026rsquo;s metadata service (IMDS) API endpoint. Attackers commonly exploit IMDS to retrieve sensitive instance-specific information, including instance IDs, public IP addresses, and temporary security credentials associated with assumed roles. The rule focuses on command-line tools and scripts like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and others, running on Linux, macOS, and Windows systems. This behavior allows attackers to gain unauthorized access to cloud resources by leveraging stolen credentials without needing passwords. The rule aims to detect this reconnaissance and credential access technique early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a cloud virtual machine (VM) through methods such as exploiting a web application vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eUpon gaining code execution, the attacker uses a command-line tool such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to query the local instance metadata service (IMDS) endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to retrieve IAM role credentials by accessing the IMDS endpoint at \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the instance has an IAM role assigned, the IMDS API returns temporary security credentials, including an access key ID, secret access key, and session token.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may target Azure managed identities by querying \u003ccode\u003e/metadata/identity/oauth2/token*resource=*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker exports the retrieved credentials, writing them to disk or setting them as environment variables.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to interact with cloud resources, such as accessing storage buckets, secrets management services, or IAM APIs.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the cloud environment using the compromised credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to obtain sensitive cloud credentials without requiring passwords. This can lead to unauthorized access to critical cloud resources, data breaches, and privilege escalation within the victim\u0026rsquo;s cloud environment. The impact may include unauthorized data access, exfiltration of sensitive information, and potentially full compromise of the cloud infrastructure. The risk score is rated at 47, emphasizing the severity of potential credential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IMDS API Access via Common Tools\u0026rdquo; to your SIEM to identify suspicious command-line access attempts to the IMDS endpoint.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line activity on Windows systems for the Sigma rule (see logsource in rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit which users, services, or containers can reach the metadata endpoint as mentioned in the response and remediation steps.\u003c/li\u003e\n\u003cli\u003eEnforce the use of IMDSv2 (instance metadata service version 2) to mitigate the risks associated with IMDSv1, per the hardening recommendations in the analysis section.\u003c/li\u003e\n\u003cli\u003eReview and minimize the permissions granted to IAM roles associated with cloud instances to adhere to the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor cloud control plane telemetry for suspicious use of instance role credentials or managed identity tokens against sensitive APIs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T10:02:11Z","date_published":"2026-05-27T10:02:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-api-cli/","summary":"The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.","title":"Suspicious Instance Metadata Service (IMDS) API Command Line Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-api-cli/"}],"language":"en","title":"CraftedSignal Threat Feed — Imds","version":"https://jsonfeed.org/version/1.1"}