Abusing Windows Built-in VPN Providers

Executive summary: The report demonstrates that Windows' built-in VPN providers can be abused by non‑privileged users to modify the system routing table (via phonebook files, PowerShell/WMI cmdlets, RasMan RPC, etc.) and redirect or intercept network traffic through an attacker-controlled VPN (SoftEther example). It covers methods to push or locally add routes, tunnel all traffic, auto‑connect via application triggers, attack scenarios (dropping traffic to blind EDR/logging or redirecting to a MitM proxy), and detection/prevention recommendations (restrict RasMan/phonebook writes, monitor RasClient events).