What starting position does this attack require?

The first step is Continue chain into Active Directory (AD-BLOODHOUND) — a discovery primitive. Assumed environment: corporate network has legacy router with SNMPv2c enabled and a default write community.

What is the final impact of this kill-chain?

The final step lands on OID write triggers TFTP config send (NET-SNMP-CONFIG-DL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

SNMPv2c write-community → router config exfil → cred sprays

Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Discovery

Continue chain into Active Directory

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

Credential Access

Spray harvested credentials against AD

T1110.003 · Password Spraying

Credential Access

Receive plaintext router config

T1552 · Unsecured Credentials

Credential Access

Decrypt RADIUS shared secret / decode AAA

T1556 · Modify Authentication Process

Privilege Escalation

snmpwalk for 'private' / 'public' / common

NET-SNMP-RW-COMMUNITY · SNMPv2c Write Community

Collection

OID write triggers TFTP config send

NET-SNMP-CONFIG-DL · SNMP TFTP Config Download

§ Context

Assumed environment: corporate network has legacy router with SNMPv2c enabled and a default write community. Attacker on the management VLAN or has internal foothold.

§ Steps

01
Continue chain into Active DirectoryDiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
02
Spray harvested credentials against ADCredential Access
T1110.003— Password Spraying
03
Receive plaintext router configCredential Access
T1552— Unsecured Credentials
04
Decrypt RADIUS shared secret / decode AAACredential Access
T1556— Modify Authentication Process
05
snmpwalk for 'private' / 'public' / commonPrivilege Escalation
NET-SNMP-RW-COMMUNITY— SNMPv2c Write Community
06
OID write triggers TFTP config sendCollection
NET-SNMP-CONFIG-DL— SNMP TFTP Config Download

§ References

§ Frequently asked

What is the "SNMPv2c write-community → router config exfil → cred sprays" attack path?: Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Continue chain into Active Directory (AD-BLOODHOUND) — a discovery primitive. Assumed environment: corporate network has legacy router with SNMPv2c enabled and a default write community.
What is the final impact of this kill-chain?: The final step lands on OID write triggers TFTP config send (NET-SNMP-CONFIG-DL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

FortiGate SSL-VPN pre-auth RCE → config theft