Cloud Instance Metadata API (T1522)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Cloud Instance Metadata API

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019. AWS Instance Metadata API
Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019. RedLock Instance Metadata API 2018