不寻常的实例元数据服务 (IMDS) API 请求

编辑

不寻常的实例元数据服务 (IMDS) API 请求

编辑

此规则识别尝试访问云服务提供商的实例元数据服务 (IMDS) API 端点的潜在恶意进程,该端点可用于检索敏感的实例特定信息,例如实例 ID、公共 IP 地址,甚至如果该实例承担角色时,还可以检索临时安全凭证。该规则监视各种工具和脚本,如 curl、wget、python 和 perl,它们可能用于与元数据 API 进行交互。

规则类型: eql

规则索引:

  • logs-endpoint.events.*

严重性: 中

风险评分: 47

运行频率: 5分钟

搜索索引时间范围: now-9m (日期数学格式, 另请参阅 附加回溯时间)

每次执行的最大警报数: 100

参考:

标签:

  • 域: 端点
  • 操作系统: Linux
  • 用例: 威胁检测
  • 战术: 凭证访问
  • 战术: 发现
  • 数据源: Elastic Defend

版本: 2

规则作者:

  • Elastic

规则许可: Elastic License v2

规则查询

编辑
sequence by host.id,  process.parent.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : (
    "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh",
    "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node"
    ) or process.executable : (
      "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
      "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
    ) or
    process.command_line: "*169.254.169.254*" and
    not (process.working_directory: (
          "/opt/rapid7*",
          "/opt/nessus*",
          "/snap/amazon-ssm-agent*",
          "/var/snap/amazon-ssm-agent/*",
          "/var/log/amazon/ssm/*",
          "/srv/snp/docker/overlay2*",
          "/opt/nessus_agent/var/nessus/*") or
        process.executable: (
          "/opt/rumble/bin/rumble-agent*",
          "/opt/aws/inspector/bin/inspectorssmplugin") or
        process.parent.executable: (
          "/usr/bin/setup-policy-routes",
          "/usr/share/ec2-instance-connect/*",
          "/var/lib/amazon/ssm/*")
        )
]
[network where host.os.type == "linux"
  and event.action == "connection_attempted"
  and destination.ip == "169.254.169.254"]

框架: MITRE ATT&CKTM