
Summary
Detects HTTP requests to web servers where the URL path, original URL, or query string contains references to cloud instance metadata endpoints or encoded variants. This targets SSRF abuse where an attacker leverages vulnerable web applications to reach cloud metadata services (e.g., AWS IMDS, Google Compute metadata, Azure metadata) to harvest temporary credentials, tokens, or instance details. The rule matches on url.original or url.query containing known metadata endpoints and their encoded representations (IPv4 forms like 169.254.169.254, hex/percent-encoded variants, IPv6 forms, and common metadata paths such as latest/meta-data, computeMetadata/v1, metadata.google.internal, and latest/api/token). It covers multiple web server sources (Nginx, Apache, Apache Tomcat, IIS, Traefik) and Zeek HTTP logs, enabling detection across entry points and log formats. The rule is scoped with event.ingested timing and is intended to flag potential credential access via cloud instance metadata endpoints, which attackers exploit to obtain cloud credentials or tokens. It maps to MITRE ATT&CK techniques T1552.005 (Cloud Instance Metadata API) under Credential Access and T1190 (Exploiting Public-Facing Applications) under Initial Access. The provided triage guidance emphasizes verifying target endpoints, decoding nested encodings, correlating with outbound connections to metadata hosts, and assessing potential credential exposure or compromise, followed by containment and remediation steps such as blocking the offending source, rotating credentials, and patching SSRF vulnerabilities with strict outbound allowlists and IMDSv2 enforcement.
Categories
- Web
- Cloud
- Network
Data Sources
- Application Log
ATT&CK Techniques
- T1552
- T1552.005
- T1190
Created: 2026-07-02