<  Back to rules search

EC2 instance resolved a suspicious AWS metadata DNS query

route53

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1552-unsecured-credentials

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).

Strategy

Inspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.

Triage and response

  1. Determine which instance is associated with the DNS request.
  2. Determine whether the domain name which was requested (dns.question.name) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.

Changelog

19 May 2022 - Updated rule query.