Full Report
When common processes start asking the wrong questions
Analysis Summary
# Tool/Technique: Instance Metadata Service (IMDS) Abuse
## Overview
The Instance Metadata Service (IMDS) is a feature in cloud computing environments (like AWS EC2, Azure, and GCP) designed to securely provide virtual machines with temporary credentials and configuration data without hardcoding secrets. IMDS abuse occurs when threat actors exploit vulnerabilities in the applications running on these instances to force the application to query the IMDS endpoint, stealing temporary credentials for privilege escalation and lateral movement.
## Technical Details
- Type: Technique
- Platform: Cloud Compute Instances (AWS, Azure, GCP)
- Capabilities: Retrieval of temporary security credentials, instance configuration data, and other sensitive metadata from the cloud provider's metadata service via local network endpoints.
- First Seen: Reference to IMDSv1 susceptibility dates back years, but exploitation in the wild exploiting variations of this mechanism is ongoing.
## MITRE ATT&CK Mapping
- T1550 - Use Alternate Authentication Material
- T1550.012 - Server Message Block (SMB) Session Hijacking (Not the primary mapping, but credential theft is key)
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts (The goal of IMDS abuse is to gain temporary credentials associated with cloud roles/accounts)
- T1190 - Exploit Repository: External Remote Services (SSRF component)
- T1190: Exploiting vulnerable services to force unauthorized external requests.
## Functionality
### Core Capabilities
- **Credential Theft:** Retrieving IAM role temporary credentials associated with the host instance (e.g., `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME`).
- **Lateral Movement/Privilege Escalation:** Using the stolen temporary credentials to interact with cloud services (S3, RDS, DynamoDB) potentially leading to broader access.
### Advanced Features
- **IMDSv1 Exploitation:** Exploiting the original version of IMDS which allows direct, unauthenticated HTTP requests.
- **SSRF Exploitation:** Leveraging application vulnerabilities (Server-Side Request Forgery) to trick the application into making requests to the local IMDS endpoint.
- **Code Injection/Misconfiguration:** Manipulating workloads with injection flaws or excessive network access to internally proxy requests to IMDS.
- **IMDSv2 Circumvention:** Modern attacks must contend with IMDSv2, which requires token-based sessions (PUT/POST for token retrieval, GET for data retrieval), making exploitation more complex, requiring control over HTTP methods and headers.
## Indicators of Compromise
- File Hashes: N/A (Technique, not specific malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: HTTP/HTTPS connections originating from a compute instance to the reserved local link address `169.254.169.254` or corresponding Azure/GCP metadata service endpoints, especially from processes that do not typically communicate with IMDS.
- Behavioral Indicators: A common application (not designed for cloud credential fetching) initiating an outgoing HTTP request to the IMDS IP range. Suspicious use of HTTP methods (PUT/GET) against the metadata endpoint, particularly when coupled with unusual headers if attempting IMDSv2 token manipulation.
## Associated Threat Actors
Threat actors targeting cloud environments, particularly those exploiting web application vulnerabilities like SSRF to gain initial access or escalate privileges within AWS, Azure, or GCP environments.
## Detection Methods
- Signature-based detection: Detecting known shell commands or scripts accessing the specific IMDS URLs.
- Behavioral detection: **Anomaly Hunting**—identifying when common, non-cloud-native applications suddenly make requests to the IMDS endpoint, deviating from baseline behavior. Monitoring for unusual network connections initiated by vulnerable workloads to the metadata service IP range.
- YARA rules: Not applicable for a generalized technique, but highly specific malware utilizing this technique might have associated rules.
## Mitigation Strategies
- **Enforce IMDSv2:** Configure instances (especially AWS EC2) to require IMDSv2/version 2 usage, mandating session tokens for metadata access.
- **Network Segmentation:** Limit network access to the IMDS endpoint from necessary processes only.
- **Application Hardening:** Patch known web vulnerabilities (e.g., classic SSRF) that allow external payloads to be internally routed to the IMDS IP address.
- **Principle of Least Privilege:** Ensure IAM roles assigned to instances have the minimum necessary permissions, minimizing the impact of stolen credentials.
## Related Tools/Techniques
- Server-Side Request Forgery (SSRF)
- Credential Harvesting
- Cloud Service Role Assumption
- Specific cloud metadata services (AWS IMDS, Azure Instance Metadata Service, GCP VM metadata service)