ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1522

术语表: /attack/glossary

云实例元数据API

攻击者可能会尝试访问Cloud Instance Metadata API,以收集凭据和其他敏感数据。

大多数云服务提供商都支持云实例元数据API,这是提供给正在运行的虚拟实例的服务,允许应用程序访问有关正在运行的虚拟实例的信息。可用信息通常包括名称,安全组和其他元数据,包括敏感数据(例如凭据和可能包含其他机密的UserData脚本)。提供实例元数据API是为了方便管理应用程序,任何可以访问该实例的人都可以访问它。[1]

如果对手在运行中的虚拟实例上存在,则他们可以直接查询实例元数据API,以标识授予对其他资源的访问权限的凭据。此外,攻击者可能利用面向公众的Web代理中的服务器端请求伪造(SSRF)漏洞,该漏洞使攻击者可以通过对实例元数据API的请求来访问敏感信息。[2]

跨云服务提供商的事实上的标准是在托管Host Metadata API http[:]//169.254.169.254

Cloud Instance Metadata API

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.[1]

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.[2]

The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.

标签

ID编号: T1522

策略: 凭证访问

平台: AWS,GCP,Azure

所需权限:user

数据源: Azure活动日志,AWS CloudTrail日志,身份验证日志

缓解措施

缓解 描述
过滤网络流量(M1037) 使用基于主机的防火墙(例如iptables)限制对实例元数据API的访问。正确配置的Web应用程序防火墙(WAF)可以帮助防止外部攻击者利用允许访问云实例元数据API的服务器端请求伪造(SSRF)攻击。
Mitigation Description
Filter Network Traffic(M1037) Limit access to the Instance Metadata API using a host-based firewall such as iptables. A properly configured Web Application Firewall (WAF) may help prevent external adversari

检测

  • 监视对实例元数据API的访问,并查找异常查询。
  • 可能有可能检测到对手对他们已获得的凭据的使用。有关更多信息,请参见有效帐户(T1078)。

  • Monitor access to the Instance Metadata API and look for anomalous queries.

  • It may be possible to detect adversary use of credentials they have obtained. See Valid Accounts for more information.