不寻常的实例元数据服务 (IMDS) API 请求
编辑不寻常的实例元数据服务 (IMDS) API 请求
编辑此规则识别尝试访问云服务提供商的实例元数据服务 (IMDS) API 端点的潜在恶意进程,该端点可用于检索敏感的实例特定信息,例如实例 ID、公共 IP 地址,甚至如果该实例承担角色时,还可以检索临时安全凭证。该规则监视各种工具和脚本,如 curl、wget、python 和 perl,它们可能用于与元数据 API 进行交互。
规则类型: eql
规则索引:
- logs-endpoint.events.*
严重性: 中
风险评分: 47
运行频率: 5分钟
搜索索引时间范围: now-9m (日期数学格式, 另请参阅 附加回溯时间
)
每次执行的最大警报数: 100
参考:
标签:
- 域: 端点
- 操作系统: Linux
- 用例: 威胁检测
- 战术: 凭证访问
- 战术: 发现
- 数据源: Elastic Defend
版本: 2
规则作者:
- Elastic
规则许可: Elastic License v2
规则查询
编辑sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : ( "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node" ) or process.executable : ( "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" ) or process.command_line: "*169.254.169.254*" and not (process.working_directory: ( "/opt/rapid7*", "/opt/nessus*", "/snap/amazon-ssm-agent*", "/var/snap/amazon-ssm-agent/*", "/var/log/amazon/ssm/*", "/srv/snp/docker/overlay2*", "/opt/nessus_agent/var/nessus/*") or process.executable: ( "/opt/rumble/bin/rumble-agent*", "/opt/aws/inspector/bin/inspectorssmplugin") or process.parent.executable: ( "/usr/bin/setup-policy-routes", "/usr/share/ec2-instance-connect/*", "/var/lib/amazon/ssm/*") ) ] [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
框架: MITRE ATT&CKTM
-
战术
- 名称: 凭证访问
- ID: TA0006
- 参考 URL: https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称: 不安全的凭证
- ID: T1552
- 参考 URL: https://attack.mitre.org/techniques/T1552/
-
子技术
- 名称: 云实例元数据 API
- ID: T1552.005
- 参考 URL: https://attack.mitre.org/techniques/T1552/005/
-
战术
- 名称: 发现
- ID: TA0007
- 参考 URL: https://attack.mitre.org/tactics/TA0007/
-
技术
- 名称: 云基础设施发现
- ID: T1580
- 参考 URL: https://attack.mitre.org/techniques/T1580/