APT-CAPITAL-ONE-SSRFInitial Access

Cloud SSRF → IMDS → Bucket Exfil (Capital One 2019)

Misconfigured WAF allowed SSRF; SSRF reached EC2 IMDS for instance role; role had ListBucket + GetObject on a major data bucket.

§ Where this technique fits

APT-CAPITAL-ONE-SSRF is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
step 5 / 5

§ Where this technique fits

§ Dossiers chaining this technique

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)