What starting position does this attack require?

The first step is SSH in as redis user (T1078) — a initial access primitive. Assumed environment: target web app has an SSRF primitive (URL fetcher / proxy / image library).

What is the final impact of this kill-chain?

The final step lands on CONFIG SET dir / dbfilename (DB-REDIS-RCE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

SSRF → reach internal Redis → write SSH key → RCE

Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

SSH in as redis user

T1078 · Valid Accounts

Lateral Movement

Identify SSRF primitive (gopher:// support)

W-SSRF · Server-Side Request Forgery (SSRF)

Lateral Movement

Reach internal Redis via gopher://

W-SSRF-INTERNAL · SSRF → Internal Service Exploit

Lateral Movement

Continue internal pivot

N-SSH-PROXY · SSH Dynamic / Reverse Tunnel

Execution

SAVE → writes ~/.ssh/authorized_keys

DB-REDIS-RCE · Redis Unauth → RCE via CONFIG

Execution

CONFIG SET dir / dbfilename

DB-REDIS-RCE · Redis Unauth → RCE via CONFIG

§ Context

Assumed environment: target web app has an SSRF primitive (URL fetcher / proxy / image library). An internal Redis instance accepts unauthenticated connections from app-server IPs.

§ Steps

01
SSH in as redis userInitial Access
T1078— Valid Accounts
02
Identify SSRF primitive (gopher:// support)Lateral Movement
W-SSRF— Server-Side Request Forgery (SSRF)
03
Reach internal Redis via gopher://Lateral Movement
W-SSRF-INTERNAL— SSRF → Internal Service Exploit
04
Continue internal pivotLateral Movement
N-SSH-PROXY— SSH Dynamic / Reverse Tunnel
05
SAVE → writes ~/.ssh/authorized_keysExecution
DB-REDIS-RCE— Redis Unauth → RCE via CONFIG
06
CONFIG SET dir / dbfilenameExecution
DB-REDIS-RCE— Redis Unauth → RCE via CONFIG

§ References

T1078Valid Accounts

§ Frequently asked

What is the "SSRF → reach internal Redis → write SSH key → RCE" attack path?: Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is SSH in as redis user (T1078) — a initial access primitive. Assumed environment: target web app has an SSRF primitive (URL fetcher / proxy / image library).
What is the final impact of this kill-chain?: The final step lands on CONFIG SET dir / dbfilename (DB-REDIS-RCE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

SSRF → reach internal Redis → write SSH key → RCE

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

VLAN hopping → cross into production

SSRF → IMDS → cloud creds → lateral