Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0122: Analytic 0122

Detection of queries to instance metadata services (e.g., AWS IMDS, Azure Metadata Service) for availability zone, region, or network geolocation details. Correlation with non-management accounts or non-standard workloads may indicate adversary reconnaissance.

EnterpriseAN0122AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because cloud instance metadata can reveal where a workload is running and how it is networked. For executives and security leaders, the decision point is whether cloud teams can distinguish normal platform inventory/management activity from unusual metadata lookups by non-management accounts or non-standard workloads. That distinction supports faster incident triage and better evidence for cloud monitoring readiness.

Executive priority

Prioritize this as a cloud visibility and incident-readiness control for IaaS environments. It is not, by itself, proof of compromise, but unexpected metadata-service queries can be an early signal of reconnaissance inside cloud workloads. Leaders should ask whether SOC and cloud teams collect the right IaaS telemetry, know which workloads are expected to query metadata for region or network details, and can explain exceptions during an incident or audit.

Technical view

AN0122 focuses on detecting queries to instance metadata services, such as AWS IMDS or Azure Metadata Service, for availability zone, region, or network geolocation details. Because no official detection logic is provided, teams should validate data sources and build environment-specific baselines. Useful triage context includes the workload identity, account type, instance role, source workload, queried metadata path/category where available, and whether the activity came from expected management tooling versus a non-management account or non-standard workload.

Likely telemetry

  • Cloud workload network telemetry showing connections or requests to instance metadata service endpoints
  • Cloud provider logs or workload logs that expose metadata service access, where available
  • Host or application logs from IaaS instances that can show metadata queries or related process context
  • Identity and account context distinguishing management accounts from non-management accounts
  • Cloud asset inventory identifying standard versus non-standard workloads and expected management tooling

Detection direction

  • Confirm whether IaaS telemetry can observe metadata-service queries and retain enough context for investigation.
  • Baseline expected metadata access by approved management agents, cloud-init/bootstrap processes, monitoring tools, and normal applications to reduce false positives.
  • Prioritize alerts where metadata queries for availability zone, region, or network geolocation details come from non-management accounts or unusual workloads, as described in the ATT&CK analytic.
  • Correlate metadata queries with workload inventory, identity context, and recent changes so analysts can separate normal deployment behavior from suspicious reconnaissance.
  • Document blind spots where metadata access is not logged, is only visible from the host, or cannot be tied back to a process, workload, or account.

Mitigation priorities

  • Establish an inventory of workloads and tools that are expected to query instance metadata services.
  • Restrict and monitor cloud management roles and non-management accounts according to least-privilege principles where applicable.
  • Improve IaaS logging and host visibility so metadata-service access can be reviewed during incident response.
  • Create SOC runbooks for investigating unusual metadata queries, including validation of workload ownership, recent deployment activity, and account purpose.
  • Use findings from tuning and incidents to update cloud security standards and compliance evidence for monitoring coverage.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique entry, and no tactics or relationships were supplied. The strongest source-backed interpretation is cloud reconnaissance-style visibility into metadata queries, especially when correlated with non-management accounts or non-standard workloads. Local baselines are essential because legitimate cloud agents, deployment processes, and applications may query metadata services during normal operations.

Official detection logic was not provided, and no relationship context was supplied. This take is limited to the IaaS platform and the described metadata-query behavior. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0122

Detection of queries to instance metadata services (e.g., AWS IMDS, Azure Metadata Service) for availability zone, region, or network geolocation details. Correlation with non-management accounts or non-standard workloads may indicate adversary reconnaissance.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4fb6c5f98d928188...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4fb6c5f98d92…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0122
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use