IMDS abuse

Tags

Cloud

ATT&CK Tactic

Credential Access (TA0006)

Incidents

ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaign From PHP exploitation to AWS lateral movement Misconfigured firewall to cryptojacking botnet Capital One incident (March 2019)UNC2903 campaigns SQL Server to cloud lateral movement From PHP vuln to Sliver execution via cron From web app exploitation to Chisel tunneling Commando Cat campaign Hugging Face cross-tenant access US DoD NIPRNet access via Atlassian SSRF GENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage

References

https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/

Last edited

Jan 15, 2024 2:41 PM

Status

Featured

Applications running on virtual machines in cloud environments rely on the Instance Metadata Service (IMDS) to receive temporary cloud credentials for service accounts. However, when threat actors gain initial access to a VM, they often abuse this mechanism to compromise the credentials and thereby grant themselves privileges within the larger environment and move laterally to other resources. IMDS abuse is sometimes preceded and facilitated by exploiting SSRF vulnerabilities (short for Server-side request forgery), which allow adversaries to route requests through the vulnerable application. However, this technique can be easily mitigated by enforcing IMDSv2.