IMDSv1 Credential Theft
Hit 169.254.169.254/latest/meta-data/iam/security-credentials/<role> directly from a compromised process on the VM — IMDSv1 needs no token.
§ Where this technique fits
C-IMDS-V1 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3.3 on average.
§ Dossiers chaining this technique
- step 2 / 5
WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
- step 2 / 9
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
- step 6 / 7
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
§ What commonly comes next
- 01AWS iam:PassRole Chainseen 1×C-AWS-IAM-PASSROLE · Privilege Escalation
- 02Account Discoveryseen 1×T1087 · Discovery
- 03Unsecured Credentialsseen 1×T1552 · Credential Access