Last reviewed:
T1552.005 is credential theft via the cloud instance metadata service: an SSRF or compromised workload querying 169.254.169.254 to mint the instance's IAM credentials, the mechanism behind the Capital One breach. DCV pairs GuardDuty's InstanceCredentialExfiltration findings, which fire when instance credentials are replayed from inside or outside AWS, with the IMDSv2 enforcement checks in Security Hub and AWS Config. Enforcing IMDSv2 with a hop limit of one closes the SSRF path almost entirely; the finding then marks genuine workload compromise.
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance. A cloud metadata API has been used in at least one high profile compromise.
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.
The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.
Platforms: IaaS.
DCV maps 8 detections across 1 cloud provider to T1552.005. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 4 | 0.89 |
| AWS Macie | AWS | 2 | 0.88 |
| AWS Config Rules | AWS | 1 | 0.65 |
| AWS Security Hub | AWS | 1 | 0.85 |
CloudSigma has coverage metadata for 8 T1552.005 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1552.005, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1552.005 is credential theft via the cloud instance metadata service: an SSRF or compromised workload querying 169.254.169.254 to mint the instance's IAM credentials, the mechanism behind the Capital One breach. DCV pairs GuardDuty's InstanceCredentialExfiltration findings, which fire when instance credentials are replayed from inside or outside AWS, with the IMDSv2 enforcement checks in Security Hub and AWS Config. Enforcing IMDSv2 with a hop limit of one closes the SSRF path almost entirely; the finding then marks genuine workload compromise.
DCV maps 8 cloud-native detections to T1552.005 across 1 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Macie and AWS Security Hub.
T1552.005 is part of MITRE ATT&CK TA0006 Credential Access: How adversaries steal credentials, account names and passwords.
CloudSigma ships 3 validated Sigma rules for T1552.005 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.