a newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.

t1552
ml
elastic

Techniques

T1552

Sample rules

Unusual Windows User Calling the Metadata Service

source: elastic
technicques:
- T1552

Description

Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.

Detection logic

Unusual Linux User Calling the Metadata Service

source: elastic
technicques:
- T1552

Description

Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.