Description
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.
Platforms
Mitigations (3)
Limit Access to Resource Over NetworkM1035
Limit access to the Instance Metadata API using a host-based firewall such as iptables.
Disable or Remove Feature or ProgramM1042
Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.(Citation: Amazon AWS IMDS V2)
Filter Network TrafficM1037
Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citatio... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) can query the AWS and GCP metadata endpoints for instances and service credentials.(Citation: Bl... |
| S0683 | Peirates | Tool | [Peirates](https://attack.mitre.org/software/S0683) can query the query AWS and GCP metadata APIs for secrets.(Citation: Peirates GitHub) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has queried the Cloud Instance Metadata API for cloud credentials.(Citation: Unit 42 Hildegard Ma... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has queried the AWS and GCP metadata endpoints for instances and service credentials.(Citation: ... |
References
- AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019.
- Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.
- Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.
Frequently Asked Questions
What is T1552.005 (Cloud Instance Metadata API)?
T1552.005 is a MITRE ATT&CK technique named 'Cloud Instance Metadata API'. It belongs to the Credential Access tactic(s). Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Cloud Instance Metadata API which is a servic...
How can T1552.005 be detected?
Detection of T1552.005 (Cloud Instance Metadata API) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.005?
There are 3 documented mitigations for T1552.005. Key mitigations include: Limit Access to Resource Over Network, Disable or Remove Feature or Program, Filter Network Traffic.
Which threat groups use T1552.005?
Known threat groups using T1552.005 include: TeamTNT.