https://feed.craftedsignal.io/tags/imds/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 27 May 2026 10:02:28 +0000https://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-request/Wed, 27 May 2026 10:02:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-request/This rule detects suspicious network activity from tools or scripts attempting to access the cloud service provider's Instance Metadata Service (IMDS) API endpoint, potentially retrieving sensitive instance-specific information and credentials.This detection rule identifies processes making network requests to the Instance Metadata Service (IMDS) API endpoint (169.254.169.254). The IMDS API provides access to sensitive instance-specific information, including instance ID, public IP address, and temporary security credentials if roles are assumed by that instance. Attackers often exploit this service after gaining initial access to a cloud instance to escalate privileges and move laterally within the cloud environment. The rule focuses on detecting suspicious processes, scripts, or tools that are not typically associated with legitimate IMDS API requests. It covers Windows, macOS, and Linux systems.

Attack Chain

1. Initial Access: An attacker gains initial access to a cloud instance through various means, such as exploiting a web application vulnerability or using compromised credentials.
2. Execution: The attacker executes a command interpreter or scripting engine (e.g., bash, PowerShell, python) on the compromised instance.
3. Discovery: The attacker uses the command interpreter or scripting engine to make a network request to the IMDS API endpoint (169.254.169.254) on port 80.
4. Credential Access: The IMDS API provides the attacker with instance metadata, including temporary security credentials associated with the instance’s IAM role.
5. Privilege Escalation: The attacker uses the acquired credentials to escalate privileges within the cloud environment.
6. Lateral Movement: The attacker uses the escalated privileges to move laterally to other cloud resources, such as storage, secrets, or other instances.

Impact

Successful exploitation of the IMDS API can lead to the compromise of sensitive cloud resources. Attackers can steal credentials, escalate privileges, and move laterally within the cloud environment, potentially causing significant damage, data breaches, or service disruptions. The number of victims and sectors targeted varies depending on the specific campaign.

Recommendation

• Deploy the Sigma rule “Detect Suspicious IMDS API Request via Common Tools” to your SIEM and tune for your environment.
• Deploy the Sigma rule “Detect Suspicious IMDS API Request from Unusual Locations” to your SIEM and tune for your environment.
• Block the IMDS API endpoint (169.254.169.254) at the network level for processes that do not require it, as described in the rule overview.
• Review and harden instance IAM roles to limit the scope of credentials exposed through IMDS, as mentioned in the investigation guide.
• Enforce IMDSv2, the more secure version of the IMDS API, as a preventative measure.
• Monitor cloud control-plane telemetry for suspicious use of instance role credentials or managed identity tokens.
• Investigate any alerts triggered by access to the IMDS API endpoint (169.254.169.254).

]]>mediumthreatcredential-accessdiscoverycloudimdshttps://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-api-cli/Wed, 27 May 2026 10:02:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-suspicious-imds-api-cli/The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.This detection rule identifies command-line activity that attempts to query a cloud instance’s metadata service (IMDS) API endpoint. Attackers commonly exploit IMDS to retrieve sensitive instance-specific information, including instance IDs, public IP addresses, and temporary security credentials associated with assumed roles. The rule focuses on command-line tools and scripts like curl, wget, powershell.exe, and others, running on Linux, macOS, and Windows systems. This behavior allows attackers to gain unauthorized access to cloud resources by leveraging stolen credentials without needing passwords. The rule aims to detect this reconnaissance and credential access technique early in the attack chain.

Attack Chain

1. An attacker gains initial access to a cloud virtual machine (VM) through methods such as exploiting a web application vulnerability or using compromised credentials.
2. Upon gaining code execution, the attacker uses a command-line tool such as curl or wget to query the local instance metadata service (IMDS) endpoint.
3. The attacker crafts a request to retrieve IAM role credentials by accessing the IMDS endpoint at http://169.254.169.254/latest/meta-data/iam/security-credentials/.
4. If the instance has an IAM role assigned, the IMDS API returns temporary security credentials, including an access key ID, secret access key, and session token.
5. Alternatively, the attacker may target Azure managed identities by querying /metadata/identity/oauth2/token*resource=*.
6. The attacker exports the retrieved credentials, writing them to disk or setting them as environment variables.
7. The attacker uses the stolen credentials to interact with cloud resources, such as accessing storage buckets, secrets management services, or IAM APIs.
8. The attacker escalates privileges and moves laterally within the cloud environment using the compromised credentials.

Impact

Successful exploitation allows attackers to obtain sensitive cloud credentials without requiring passwords. This can lead to unauthorized access to critical cloud resources, data breaches, and privilege escalation within the victim’s cloud environment. The impact may include unauthorized data access, exfiltration of sensitive information, and potentially full compromise of the cloud infrastructure. The risk score is rated at 47, emphasizing the severity of potential credential compromise.

Recommendation

• Deploy the Sigma rule “Detect Suspicious IMDS API Access via Common Tools” to your SIEM to identify suspicious command-line access attempts to the IMDS endpoint.
• Enable Sysmon process creation logging to capture command-line activity on Windows systems for the Sigma rule (see logsource in rules).
• Implement network segmentation to limit which users, services, or containers can reach the metadata endpoint as mentioned in the response and remediation steps.
• Enforce the use of IMDSv2 (instance metadata service version 2) to mitigate the risks associated with IMDSv1, per the hardening recommendations in the analysis section.
• Review and minimize the permissions granted to IAM roles associated with cloud instances to adhere to the principle of least privilege.
• Monitor cloud control plane telemetry for suspicious use of instance role credentials or managed identity tokens against sensitive APIs.

]]>mediumthreatcredential-accesscloudimds