Red Teaming Case Study: Uncovering Hidden Risks

May 15, 2025

Wait, do we need Red Team assessment?

Imagine a large organization with thousands of employees—one that values security and regularly invests in protecting its people and systems. Yet they wondered: what if a determined, organized adversary targeted them? Over eight weeks, our Red Team simulated a real attack without constraints. We ran a custom-domain phishing campaign (yield 260 credentials), leveraged OSINT, breached physical controls via pretexting, badge cloning, and a rogue network implant, then abused a misconfigured AD Certificate Authority to gain Domain-Admin. This end-to-end test exposed critical human, technical, and physical vulnerabilities—showing that only full Red Team exercises uncover hidden risks.

What really is Red Teaming?

Red Teaming is about comprehensively evaluating a company's security shape, from a digital perimeter to human behavior. Mimic what would a motivated attacker or an Advanced Persistent Threat (APT) do if they choose your company as a target, not limited by resources or time.

How Hackers from Haxoris perform such assessment?

At Haxoris we delve deep into preparation and execution and follow a set of sophisticated Red Teaming methodologies aimed at identifying vulnerabilities, assessing risks, and verifying the effectiveness of existing security measures across multiple domains. The assessment is divided into several distinct but interrelated phases:

  • Open source intelligence gathering (OSINT)
  • External infrastructure testing
  • Internal network penetration testing in two scenarios
  • Physical penetrations at three client sites
  • Phishing campaign targeting a majority of the workforce

Company got HACKED by us!

As always during the targeted engagement we start with the EXTERNAL TESTING, so everything accessible from the internet. We carefully examined the client’s web applications, VPN gateways, email servers, and all other services for any weaknesses, outdated software, misconfigurations, or coding errors. It turned out the client was well prepared: their servers were fully patched with no known CVEs to exploit. The firewall was set up correctly, and IDS/IPS systems actively monitored traffic without finding any gaps. Even our attempts to breach their Wi-Fi failed, since access required client certificates and multi-factor authentication.

OSINT Credential Theft

OSINT showed its importance after we used all means to gather information about the company we ended up with an organizational structure, list of employee names, IP addresses, subdomains, data about partnerships and contracts. Even though not many employees have listed their affiliation with the company on LinkedIn. This showed the client encouraged discretion among employees. Still, given their size, we gathered enough profiles for further work. We combined LinkedIn data with information from old leaked databases and verified gathered email addresses. A key moment was when we revealed the exact email format, [email protected], thanks to a flaw in one of the internal systems.

We tried to breach the PHYSICAL PERIMETER on multiple locations of our customer. During our first visit, we gathered information about entrances, movement of building security, camera blind spots and more. We noticed a fire equipment inspection car in front of the building and we decided this would be our access method. After a quick OSINT preparation, we were ready as an undercover fire equipment inspector with full uniform and inspection’s company logo, letterhead with written permission to perform fire extinguisher inspection and access the building. A “fire extinguisher technician” decoy earned our team unsupervised access to a meeting room, where we spotted a hidden RJ45 port behind a TV screen. In minutes, we installed a custom 4G-enabled implant, concealed it, and left without triggering any alarms—granting us persistent, undetectable entry to the internal network and setting the stage for the next attack phase.

Vulnerability Domain Admin
Credential Theft

Although we have already had network access, our goal was to obtain valid domain credentials. Using a list of verified email addresses gathered during OSINT, we launched a highly targeted PHISHING CAMPAIGN, not mass mailings, but precise typosquatting against a look-alike domain. Disguised as an announcement for a new internal rewards system, the fake intranet login page captured credentials, then we immediately shut down the campaign to minimize detection. These fresh domain credentials unlocked deeper internal exploration and set the stage for our next, privilege-escalation phase.

INTERNAL TESTING consists of a simulation of the stolen device and internal network testing. We discovered an ESC8 vulnerability in the client’s Certification Authority that allowed us to request any Active Directory certificate, even for the Domain Controller (DC). After confirming the flaw with tool Certipy, we used Netexec’s Coerce_Plus module to force the DC to authenticate to our relay server, then captured and relayed that authentication with NTLMRelayX. The CA issued a DC’s certificate, effectively granting us Domain Admin rights—proving that even robust defenses can be bypassed with precise tactics. Owning a domain administrator is the highest privilege an attacker could achieve in the AD domain, it represents a full infrastructure compromise with access to all services or sensitive data.

Vulnerability Domain Admin

Results & Key takeaways

  • CREDENTIAL COMPROMISE: A precision phishing campaign resulted in 260 valid user credentials, revealing weaknesses in email filtering and user awareness.
  • PHYSICAL ACCESS ACHIEVED: Our operative bypassed front-desk checks and cloned RFID badges without challenge, enabling device placement inside secured areas.
  • PRIVILEGE ESCALATION TO DOMAIN ADMIN: Exploiting the AD Certificate Authority misconfiguration (ESC8), we issued a trusted certificate and gained full administrative control—undetected.
  • ZERO DETECTION BY DEFENSES: Neither perimeter controls, IDS/IPS, nor logging systems flagged our activities—demonstrating significant visibility gaps.

Our Recommendations

  • Strengthen Physical Security & Visitor Protocols: Anti-tailgating barriers, strict ID checks, and strict visitor checks.
  • Audit Every Vector Regularly: Perimeter, internal systems, eternal systems, certificate authorities, and network infrastructure.
  • Train Employees on Phishing & Social Engineering: Scenario-based drills to keep human guard sharp.
  • Monitor Internal Devices & Activity in Real Time: Detect unauthorized hardware and anomalous network behavior immediately.

Cybersecurity isn’t just technology—it’s the synergy of people, processes, and tools. Continuous testing, learning, and resilience-building are essential, because attackers will always seek the weakest link. Real protection begins in the minds and attitudes of your people.

Stefan Varga

Author

Adam Žilla

Don’t wait for a breach—discover your weakest link with Red Teaming now!

Book Now