Unsecured Credentials: Cloud Instance Metadata API

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.[1] A cloud metadata API has been used in at least one high profile compromise.[2]

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.[3]

The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.

ID: T1552.005
Sub-technique of:  T1552
Platforms: IaaS
Contributors: Praetorian
Version: 1.4
Created: 11 February 2020
Last Modified: 15 October 2024

Procedure Examples

ID Name Description
S0601 Hildegard

Hildegard has queried the Cloud Instance Metadata API for cloud credentials.[4]

S0683 Peirates

Peirates can query the query AWS and GCP metadata APIs for secrets.[5]

G0139 TeamTNT

TeamTNT has queried the AWS instance metadata service for credentials.[6][7]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[8]

M1037 Filter Network Traffic

Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.[3]

M1035 Limit Access to Resource Over Network

Limit access to the Instance Metadata API using a host-based firewall such as iptables.

Detection

ID Data Source Data Component Detects
DS0002 User Account User Account Authentication

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

Analytic 1 - Failed or unusual logon attempts using compromised credentials.

index=security sourcetype="aws:cloudtrail" eventName="ConsoleLogin" (errorMessage="Failed authentication" OR errorMessage="Invalid login attempt") ORindex=security sourcetype="azure:activity" operationName="Sign-in activity" (status="Failed" OR status="Error") ORindex=security sourcetype="gcp:activity" protoPayload.methodName="google.iam.v1.logging.GetPolicy" (protoPayload.status.message="Failed" OR protoPayload.status.message="Invalid login attempt")

References