Esc
Cloud Instance Metadata API - T1552.005

(ATT&CK® Technique)
Definition

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1552005["Cloud Instance Metadata API"] --> |accesses| CloudInstanceMetadata["Cloud Instance Metadata"]; class T1552005 OffensiveTechniqueNode;
        class CloudInstanceMetadata ArtifactNode; click CloudInstanceMetadata href "/dao/artifact/d3f:CloudInstanceMetadata";
        click T1552005 href "/offensive-technique/attack/T1552.005/"; click CloudInstanceMetadata href "/dao/artifact/d3f:CloudInstanceMetadata";     T1552005["Cloud Instance Metadata API"] --> |accesses| Credential["Credential"]; class T1552005 OffensiveTechniqueNode;
        class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
        click T1552005 href "/offensive-technique/attack/T1552.005/"; click Credential href "/dao/artifact/d3f:Credential";         RestoreConfiguration["Restore Configuration"] -->
          | restores | CloudInstanceMetadata["Cloud Instance Metadata"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1552005["Cloud Instance Metadata API"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class CloudInstanceMetadata ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";      CredentialHardening["Credential Hardening"] -->
          | hardens | Credential["Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1552005["Cloud Instance Metadata API"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";              DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | Credential["Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1552005["Cloud Instance Metadata API"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | Credential["Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1552005["Cloud Instance Metadata API"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | Credential["Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1552005["Cloud Instance Metadata API"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | Credential["Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1552005["Cloud Instance Metadata API"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRotation["Credential Rotation"] -->
          | regenerates | Credential["Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1552005["Cloud Instance Metadata API"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | Credential["Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1552005["Cloud Instance Metadata API"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | Credential["Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1552005["Cloud Instance Metadata API"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";  ReissueCredential["Reissue Credential"] -->
          | restores | Credential["Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1552005["Cloud Instance Metadata API"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";
json