VPN-CONFIG-EXFILCollection

VPN Configuration Exfil

Pull configs (saved usernames, RADIUS keys, LDAP binds, S2S PSKs) from a compromised appliance — credentials for further pivot.

§ Where this technique fits

VPN-CONFIG-EXFIL is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
step 4 / 6
Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover
Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network.
step 4 / 6

§ What commonly comes next

01
Unsecured Credentials
T1552 · Credential Access
seen 1×
02
VPN Appliance Implant
VPN-APPLIANCE-IMPLANT · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

FortiGate SSL-VPN pre-auth RCE → config theft

Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover

§ What commonly comes next