What starting position does this attack require?

The first step is Deploy ransomware org-wide (T1486) — a impact primitive. Assumed environment: target operates a legacy SSL-VPN gateway.

What is the final impact of this kill-chain?

The final step lands on Authenticate to corporate VPN (APT-VPN-LEAKED-CRED), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Leaked legacy VPN credential → ransomware (Colonial-class)

A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Deploy ransomware org-wide

T1486 · Data Encrypted for Impact

Initial Access

Reach internal network

T1078 · Valid Accounts

Discovery

BloodHound enumeration

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

Privilege Escalation

Escalate via AD misconfig

AD-DACL-WRITEDACL · WriteDACL

Credential Access

Search breach dumps for target email patterns

W-AUTH-STUFFING · Credential Stuffing

Initial Access

Authenticate to corporate VPN

APT-VPN-LEAKED-CRED · Leaked Legacy VPN Credential (Colonial-class)

§ Context

Assumed environment: target operates a legacy SSL-VPN gateway. At least one inactive but still-enabled account was reused on a previously-breached external service. MFA not enforced for that account.

§ Steps

01
Deploy ransomware org-wideImpact
T1486— Data Encrypted for Impact
02
Reach internal networkInitial Access
T1078— Valid Accounts
03
BloodHound enumerationDiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
04
Escalate via AD misconfigPrivilege Escalation
AD-DACL-WRITEDACL— WriteDACL
05
Search breach dumps for target email patternsCredential Access
W-AUTH-STUFFING— Credential Stuffing
06
Authenticate to corporate VPNInitial Access
APT-VPN-LEAKED-CRED— Leaked Legacy VPN Credential (Colonial-class)

§ References

T1486Data Encrypted for Impact
T1078Valid Accounts

§ Frequently asked

What is the "Leaked legacy VPN credential → ransomware (Colonial-class)" attack path?: A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Deploy ransomware org-wide (T1486) — a impact primitive. Assumed environment: target operates a legacy SSL-VPN gateway.
What is the final impact of this kill-chain?: The final step lands on Authenticate to corporate VPN (APT-VPN-LEAKED-CRED), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Leaked legacy VPN credential → ransomware (Colonial-class)

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

WriteDACL on a privileged user → ForceChangePassword → takeover

Citrix Bleed → steal authenticated session → MFA bypass

Engineering workstation → push payload to PLC

MFA fatigue / prompt-bombing → M365 admin compromise

Evil twin + captive portal → credential harvest

Unconstrained delegation → Capture DC TGT → DCSync