Red teamers gained network admin access after posing as new IT staff and shoveling snow

A security assessment at a client site took an unusual turn when two professional red teamers used a winter storm and a bit of improvisation to slip deeper into a company’s defenses. The testers, work...

A security assessment at a client site took an unusual turn when two professional red teamers used a winter storm and a bit of improvisation to slip deeper into a company’s defenses. The testers, working for Echelon Risk + Cyber, were challenged to evaluate the organization’s physical and network security and ended up demonstrating how quickly an on-site social engineering attempt can escalate into a full compromise.

According to the team, they entered through a maintenance area that was already open, then told staff they were new IT hires without badges. When questioned, one of them offered to help with snow removal, which gained them enough trust to move around the building. While one tester shoveled outside, the other was able to access interior spaces and look for a place to connect a small Raspberry Pi to the network.

The first Ethernet port they tried was protected by network access control, but another port in a conference room was not. The device was plugged in there and hidden from view with trash cans. Although the testers had trouble leaving through badge-controlled doors, they were able to exit through the maintenance entrance after being waved out by staff.

The breach was eventually noticed when maintenance later thanked the IT department for the supposed new employee’s help, only for IT to confirm that no such staff members existed. Security reviewed camera footage and even checked a rental car plate, but the Raspberry Pi remained undetected for two weeks.

During that window, the red team used the device to reach Active Directory, identify domain controllers, and perform password spraying. They reported finding dozens of accounts using the password winter2023!, which gave them a foothold for mapping internal resources. They later found weaknesses in Active Directory Certificate Services, including several vulnerable templates and a certificate authority issue, and used those flaws to reach domain administrator access.

Key weaknesses highlighted

  • Staff accepted an unbadged visitor who appeared to fit in
  • An accessible network port allowed an unauthorized device to connect
  • Weak passwords were widespread across user accounts
  • Multi-factor authentication was not enforced everywhere

The testers said the exercise showed how physical access, weak identity controls, and overlooked network ports can combine to create a major security failure.