SSRF → IMDS → cloud creds → lateral

§ Context

Assumed environment: app runs on EC2 / GCE / Azure VM with an attached instance/managed identity. IMDS v1 is enabled (or IMDSv2 with no hop-limit hardening).

§ Steps

1. 01
   Pivot via cloud APIs (S3, KMS, SSM)Initial Access

   T1078— Valid Accounts
2. 02
   AWS / Azure / GCP CLI enumerationDiscovery

   T1087— Account Discovery
3. 03
   Steal IAM role / managed-identity credsCredential Access

   T1552— Unsecured Credentials
4. 04
   Find URL-fetcher endpointReconnaissance

   W-RECON-API-DISCO— API Endpoint Discovery
5. 05
   Confirm SSRFLateral Movement

   W-SSRF— Server-Side Request Forgery (SSRF)

   Burp Collaborator / interactsh callback.

6. 06
   Hit 169.254.169.254 / metadata.google.internalLateral Movement

   W-SSRF-IMDS— SSRF → Cloud IMDS

§ References

• T1078Valid Accounts
• T1087Account Discovery
• T1552Unsecured Credentials

§ Frequently asked

What is the "SSRF → IMDS → cloud creds → lateral" attack path?

An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Pivot via cloud APIs (S3, KMS, SSM) (T1078) — a initial access primitive. Assumed environment: app runs on EC2 / GCE / Azure VM with an attached instance/managed identity.

What is the final impact of this kill-chain?

The final step lands on Hit 169.254.169.254 / metadata.google.internal (W-SSRF-IMDS), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  XXE → SSRF → IMDS → cloud creds

  XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.

• Shared techniques3

  Open MQTT broker → smart-estate takeover

  Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.

• Shared techniques3

  TCC bypass → access Photos / Camera without consent

  Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.

• Shared techniques2

  WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

  A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  z/OS TN3270 → RACF userID brute → mainframe shell

  Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.