APT-LASTPASS-DEVInitial Access

Dev-Workstation Backup Exfil (LastPass 2022)

Compromise a single engineer's home workstation via outdated third-party media-server software → steal AWS backup keys → exfil full encrypted vault store.

§ Where this technique fits

APT-LASTPASS-DEV is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 6 on average.

§ Dossiers chaining this technique

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
step 6 / 7

§ What commonly comes next

01
Brute Force
T1110 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

§ What commonly comes next