IMDSpoof

IMDSPOOF is a cyber deception tool that spoofs an AWS IMDS service. One way that attackers are able to escalate privileges or move laterally in a cloud environment is by retrieving AWS Access keys from the IMDS service endpoint located at http://169.254.169.254/latest/meta-data/iam/security-credentials/. This tool spoofs that endpoint and redirects traffic sent to 169.254.169.254 to a local webserver that serves fake data. This can be leveraged for highly tuned detections by inserting honey AWS tokens into the response of the spoofed IMDS response.

GitHub

URL: Link to Repository
Stars: 71
Forks: 2
Last Updated: 21 Jan 2024 - 19:15

Category

AWS - Blue Team

Warning

Once again, if the applications running on your EC2 instance ARE using the IMDS service, this tool WILL cause issues!

Last updated on Jan 22, 2024

Edit this page