APT-VPN-LEAKED-CREDInitial Access

Leaked Legacy VPN Credential (Colonial-class)

An old VPN account whose password appeared in a third-party breach is still active and not protected by MFA — direct entry to the corporate network.

§ Where this technique fits

APT-VPN-LEAKED-CRED is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
step 2 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Leaked legacy VPN credential → ransomware (Colonial-class)

§ What commonly comes next