Two figures dressed in dark clothing quietly move through the empty corridors of a laboratory late at night. A surveillance camera slowly pans past without noticing them. While this may sound like a scene from a spy thriller, it is in fact a carefully planned security assessment: we are a commissioned Red Team evaluating the security posture of MediPharm AG (a fictional company) in Bavaria. But before we were able to enter the laboratory and server room under the cover of darkness, weeks of preparation had already taken place. In this article, we describe how our team proceeded step by step—from the initial executive briefing to successfully reaching the company’s most valuable research data.
Phase 1: Kick-off – Defining the Mission
Everything began with a confidential kick-off meeting involving the executive board. The CEO and CIO of MediPharm AG commissioned us to perform a comprehensive Red Team engagement. Our objective was clear: simulate a sophisticated real-world cyberattack and evaluate the organization’s ability to detect and respond to it.
Together, we defined the attack scenario. We would emulate a professional adversary—whether a financially motivated ransomware group or a state-sponsored espionage actor — targeting the organization’s crown jewels.
In this engagement, those crown jewels consisted of highly sensitive research and development data for a new pharmaceutical product.
The rules of engagement were carefully defined. We would begin as a completely external attacker with no existing access to the organization—just like a real-world threat actor attempting to compromise the company from the outside.
The internal security team would remain unaware of the exercise to ensure that all defensive reactions remained authentic and unbiased.
Only the CIO acted as the designated White Team representative, serving as our internal point of contact and emergency coordinator. He would intervene only if our activities accidentally endangered business operations or if the exercise risked causing unintended damage.
Management emphasized that we were authorized to progress as far as realistically possible. Even gaining access to the organization’s most sensitive laboratory data was permitted, provided that normal business operations were not significantly disrupted.
With clear objectives, defined boundaries, and the necessary authorization, the engagement officially began.
Phase 2: Reconnaissance – Identifying Weaknesses
Before launching any attacks, we conducted an extensive reconnaissance phase. Our team systematically gathered publicly available information about MediPharm AG using Open Source Intelligence (OSINT) techniques.
We searched every available source for useful intelligence: press releases, technical blog posts written by employees, LinkedIn profiles, industry directories, and any publicly accessible information that could reveal details about the organization’s structure or technology.
We also searched darknet forums and underground communities for mentions of the company or leaked credentials. In fact, we discovered several corporate email addresses associated with historical password hashes contained in a leaked credential database—a promising initial lead.
At the same time, we mapped the organization’s externally accessible infrastructure. Network reconnaissance identified several internet-facing systems, including a VPN gateway, Outlook Web Access, and an outdated supplier portal.
We carefully documented software versions and compared them against publicly known vulnerabilities. We also collected publicly available email addresses and telephone numbers of employees to support later phishing campaigns and voice phishing (vishing) attempts.
Not all useful information was available online. We therefore supplemented our technical reconnaissance with social engineering.
One member of our team contacted the company’s IT help desk while impersonating a remote employee experiencing VPN issues. During the conversation, the helpful support representative unintentionally revealed several details about the internal IT environment, including the antivirus solution deployed throughout the company and the location of the server room.
Information like this proved extremely valuable. It enabled us to later tailor our payloads specifically to avoid detection by the organization’s security controls.
We also conducted physical reconnaissance to evaluate on-site security measures. During a discreet visit to the business park, we observed that although the headquarters was surrounded by fencing, numerous delivery drivers and contractors entered and left the premises throughout the morning.
We carefully noted staffing patterns at the reception desk and observed how consistently access control procedures were enforced.
During the lunch break, we witnessed a potential opportunity: an employee briefly left a side entrance unlocked after using their access badge while returning to their vehicle. Situations like these could potentially be exploited during a real attack.
By the end of the reconnaissance phase, we had developed a comprehensive understanding of the organization’s attack surface.
Several viable attack paths had emerged—from traditional phishing campaigns to exploiting physical access opportunities such as the unsecured side entrance.
These findings formed the basis for the next phase of the engagement.
Phase 3: Attack Planning – Building the Strategy
Based on the findings gathered during reconnaissance, we developed a multi-layered attack plan. We identified several promising attack paths that could provide initial access and evaluated each option in terms of likelihood of success and associated risks.
During an internal planning meeting, we presented the proposed attack scenarios to the CIO, our designated White Team representative. The following options were considered:
- Spear Phishing via Email: Sending carefully crafted phishing emails to selected employees, using either malicious attachments or links to fake login portals in order to harvest credentials or deploy malware.
- Voice Phishing (Vishing): Calling employees while impersonating the IT department to obtain passwords or other confidential information.
- Physical Intrusion: Entering company facilities while posing as an external contractor (e.g., an electrician or maintenance technician) to gain access to office areas or even the server room.
- Technical Exploitation of Internet-Facing Systems: Exploiting vulnerabilities in externally accessible services to establish direct access to the corporate network.
The CIO reviewed every proposed action from both a security and compliance perspective. Together, we determined which attack techniques were within the agreed rules of engagement.
In this engagement, the customer approved all of the proposed attack vectors, provided that we proceeded carefully and avoided causing lasting disruption. With that approval, we were ready to execute our multi-stage attack scenario.
Phase 4: Preparation – Building the Toolkit
Our next step was to prepare the resources required for each approved attack vector. We established an infrastructure that would make every aspect of the engagement appear as realistic as possible.
For the phishing campaign, we registered an Internet domain that closely resembled the company’s legitimate website. On this domain, we hosted a fake login portal, complete with the company’s branding, designed to capture employee credentials.
In addition, we developed a custom malware payload disguised as an innocent-looking PDF document. Once opened, the payload would silently establish remote access to the corporate network.
To maximize the realism of the exercise, we ensured that the malware was not detected by the antivirus solution identified during Phase 2. Before deployment, we specifically tested it against that exact security product.
At the same time, another part of our team prepared the physical intrusion scenario. We assembled convincing work clothing and identification badges for a fictitious maintenance contractor.
One team member would assume the role of an electrician supposedly scheduled to perform maintenance work inside the building. The disguise included a high-visibility safety vest, a toolbox, and a highly convincing work order printed on professionally designed company letterhead that we had created specifically for the exercise.
We also prepared several technical tools, including a small preconfigured mini-computer (similar to a Raspberry Pi) that could be discreetly connected to the internal network to establish a second covert access path.
Finally, we prepared several USB drives loaded with our malware and labeled them with enticing names such as “Q3 Project Plan.” These drives could later be “accidentally” left in locations such as the company parking lot or reception area in the hope that curious employees would connect them to their workstations.
Once all preparations were complete, we had assembled a comprehensive toolkit. The engagement was ready to move into the execution phase.
Phase 5: Initial Access – Getting a Foot in the Door
At 9:30 a.m. on a Tuesday morning, the operation began.
We sent our prepared phishing emails to carefully selected MediPharm employees. One recipient, the head of the virology research department, received what appeared to be an invitation from a well-known scientific conference organizer.
Written in flawless German, the email requested participation in an “urgent online laboratory safety survey.” Naturally, the embedded link directed the recipient to our spoofed website.
Less than an hour later, we observed the first successful compromise. Our server received a connection originating from an internal corporate workstation. Someone had clicked the link and authenticated through our fake login portal.
Using the captured credentials and the silently deployed malware, we had successfully established our first foothold inside the organization’s network.
Through the installed backdoor, we were now able to access the employee’s workstation without being detected. The compromised system belonged to a scientist working on an active pharmaceutical research project.
Our malware operated silently in the background while remaining undetected by the endpoint protection platform. It provided persistent access to the system — even after reboots or when the laptop connected to the corporate Wi-Fi network.
At the same time, the malware disguised its network communications as legitimate outbound Internet traffic, allowing it to evade detection by both firewalls and security monitoring solutions.
While securing this initial foothold, we simultaneously executed the physical attack scenario.
The following day, one of our team members arrived at MediPharm headquarters dressed as a maintenance electrician. Equipped with a clipboard and our professionally forged work order, he reported to reception.
He explained that he had been dispatched to perform an urgent inspection of the server room’s air conditioning system. Thanks to a convincing performance — and perhaps a carefully rehearsed sense of urgency — the story was accepted.
The receptionist did attempt to verify the maintenance request by calling the telephone number printed on the work order.
However, the number connected directly to a phone line operated by our own team, where another Red Team member immediately confirmed the appointment.
With that verification complete, our operative received a visitor badge and was escorted toward the server room by a helpful apprentice.
Inside the building, our team member took advantage of the first brief moment when he was left unattended.
Within seconds, he connected the prepared mini-computer to an easily accessible network socket in the hallway. The device immediately established an outbound cellular connection to our command server, providing us with a second covert entry point into the corporate network.
Shortly afterward, the “electrician” thanked the staff, waved goodbye, and calmly left the premises — without raising any suspicion.
At the end of Phase 5, we had established two completely independent access paths into the company’s network: a digital foothold through the compromised employee workstation and a physical foothold through the covertly installed network device.
The next objective was to leverage these initial access points to move deeper into the organization’s internal environment.
Phase 6: Lateral Movement and Privilege Escalation
With our initial footholds established, we began systematically moving deeper into the corporate network.
Starting from the compromised workstation, our first objective was to gather as much information as possible about the internal environment. We mapped the network, enumerated hosts, identified file shares, and discovered the organization’s core infrastructure.
As expected, we encountered a typical Windows Active Directory environment consisting of employee workstations, file servers, mail servers, database servers, and a central domain controller that managed authentication across the organization.
To reach the organization’s most valuable assets, we first needed to expand our privileges.
Our initial step was to obtain full administrative access to the compromised laptop. To achieve this, we exploited a vulnerability in outdated software installed on the system. An obsolete PDF application was susceptible to a publicly available privilege escalation exploit, allowing us to elevate our permissions to the local SYSTEM account.
Administrative access enabled us to extract cached credentials from memory. During this process, we discovered credentials belonging to a domain administrator.
At some point in the past, an IT administrator had apparently logged onto this workstation — most likely during maintenance — and remnants of those credentials remained available in memory.
Armed with domain administrator privileges, virtually every system within the environment became accessible.
Over the following hours, we expanded our presence throughout the network, moving methodically from one system to another. Using the newly acquired administrative credentials, we accessed multiple servers throughout the environment.
On one file server, we discovered directories labeled “Research” and “Clinical Studies.” A laboratory database server quickly became another area of interest.
Throughout the engagement, we deliberately maintained a low profile. Network scans were performed at very low intensity, and we carefully avoided generating unusual traffic patterns that might trigger security monitoring solutions.
As our understanding of the environment improved, we also gained insight into the organization’s defensive architecture.
The internal network had been segmented, with the research environment separated from the general corporate network.
However, our covert hardware implant had been deployed directly inside the research segment, allowing us to bypass this architectural control entirely.
We also observed that administrative access was not consistently protected by multi-factor authentication, significantly simplifying privilege escalation and lateral movement.
By the end of this phase, we possessed both the permissions and the network visibility required to pursue our primary objective.
Phase 7: Mission Accomplished – Reaching the Crown Jewels
Late in the evening of the final engagement day, we successfully accessed the organization’s most sensitive information.
Deep within the research department’s file server, we located documentation related to the development of a new pharmaceutical product.
The directories contained laboratory documentation, chemical formulations, experimental results, and clinical trial data—the exact type of intellectual property that would be highly valuable to competitors or ransomware operators seeking leverage.
To demonstrate successful compromise, we extracted a small number of representative files.
Among them was a document describing the detailed chemical composition of the experimental drug candidate.
We captured screenshots and securely stored encrypted copies solely as evidence for the final report.
At no point did we modify, destroy, or remove any customer data.
Our objective was to demonstrate risk — not to cause damage.
Nevertheless, the exercise clearly illustrated that a real attacker could, at this stage, have exfiltrated vast amounts of confidential research data or encrypted the organization’s research environment as part of a ransomware attack.
Our primary objective had been achieved. We had successfully reached the company’s crown jewels.
Any further activity would have introduced unnecessary risk without providing additional value.
We therefore concluded the active attack phase and shifted our attention toward documenting our findings.
Phase 8: Reporting and Lessons Learned
The final phase focused on documenting every aspect of the engagement.
We produced a comprehensive report describing the complete attack chain — from the initial OSINT findings through phishing, physical intrusion, privilege escalation, lateral movement, and ultimately successful access to the organization’s most critical assets.
Every exploited weakness was documented in detail, including:
- when it was exploited,
- how it was exploited,
- why existing security controls failed to prevent or detect it, and
- which defensive measures could have interrupted the attack chain.
For every identified weakness, we also provided practical recommendations for remediation.
Among our key recommendations were:
- Enforce multi-factor authentication for all privileged accounts.
- Establish a rigorous vulnerability and patch management process.
- Conduct regular phishing awareness and social engineering training.
- Strengthen physical access controls to prevent unauthorized entry and unattended secure areas.
Naturally, we also removed the covert mini-computer that had been installed during the physical intrusion exercise. Within the report, it served as a tangible demonstration of how easily unsecured network ports could be abused.
Several days later, we presented our findings to MediPharm’s executive management and senior IT leadership.
During the debriefing session, we walked through the complete attack scenario together with the CIO, explaining every phase of the engagement.
The reaction in the room was a mixture of surprise and concern as the participants realized how far an attacker had been able to progress without attracting attention.
The organization’s internal security team had detected only a handful of weak indicators throughout the entire exercise.
At one point, the endpoint protection solution briefly generated an alert, but it was dismissed as a false positive.
No employee questioned the legitimacy of the fake maintenance contractor.
Likewise, the covert extraction of sensitive research data remained completely unnoticed.
Although these findings were sobering, they had been obtained within the controlled environment of a Red Team engagement—providing valuable opportunities for improvement rather than the consequences of a real breach.
The engagement concluded on a positive note. MediPharm now had the opportunity to remediate every identified weakness before a genuine attacker could exploit them.
The CEO described the assessment as a valuable wake-up call and committed to investing further in the organization’s security posture.
Ultimately, the Red Team exercise fulfilled its purpose.
It demonstrated exactly how an advanced attacker could compromise the organization, while simultaneously providing a concrete roadmap for significantly improving its cyber resilience.
