Once an attacker has command execution on a VM (via a vulnerability like Log4Shell), they run:
: IMDSv2 requires this token to protect against SSRF vulnerabilities that could leak sensitive instance data. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken