Two VMs. One rule: don't get caught. We exploited a single overlooked UDP port, tunnelled in via WireGuard, and pulled the thread. Cleartext credentials in a shared folder. A password spray. 30+ compromised accounts. Pass-the-hash took care of the rest. By the end, we were using the monitoring team's own account to dig around. They never noticed.
Most engagements end when you’re detected. This one had a different rule:
“You cannot be detected. It’s not game over if you are, but try not to get caught.”
Challenge accepted.
We were given two VMs (Windows and Linux), both with root access and recorded through Citrix, and told to see how far we could get without triggering alerts.
Spoiler: We’re still in there. Using the monitoring team’s own account. Having a look around.
The client had locked both VMs down. Settings unavailable. Consoles disabled. Dangerous domains blocked. IP restrictions in place. Standard hardening.
But one thing slipped through the net on the Linux VM: outgoing unsupervised UDP connections were enabled.
That’s all we needed.
Wireguard client installed. SSH tunnel established through our Wireguard VPN. Direct access secured.
From this point forward, we uploaded every tool we needed through SSH over the Wireguard tunnel. No dropped connections, alerts or emails to the security team.
Just silence.
We set up Responder in analysis mode, watching network traffic for deprecated protocols. Nothing suspicious appeared. Just legitimate traffic.
Time to get creative. So we went looking.
We grabbed the list of users from the LDAP server using credentials from the Windows VM account. The account was valid, so we started sneaking into shared folders with read permissions across the same subnet.
Then we hit it: a shared folder with the kind of name IT staff use when they think no one’s looking.
Inside? A low-level account with credentials in clear text.
The password was embarrassingly simple. Too simple to be sitting in a text file on a network share. But there it was.
We took a calculated risk: a password spray attack using LDAP protocol against all active users we’d collected.
The results? Over thirty accounts using the same password.
Including an account operator with local admin access to multiple workstations in the same subnet.
With admin access now secured, we enumerated all workstations in the subnet and started extracting SAM and LSA from multiple machines.
A pattern emerged immediately: the same local administrator hash. Everywhere.
They’d cloned the operating system across workstations and made no other changes. Same hash. Same passwords. Same access.
We ran a pass-the-hash attack using the local administrator hash. Nearly every device in the subnet fell.
At this point, we had account operator permissions, server operator permissions, and local admin access across dozens of workstations. All through the same Wireguard tunnel that kept us completely under the radar.
No domain admin access yet, but we didn’t need it. Workstations were wide open. Juicy information was ours for the taking.
And still, not a single alert.
At this point, we could have stopped. Instead, we kept digging.
But this time, we used the account that’s supposed to be used by the third-party monitoring team.
The same team tasked with detecting intrusions.
The same team that still hasn’t noticed we’re in there.
We’re poking around and collecting. Still completely invisible.
The punchline? If your monitoring doesn’t catch a patient attacker using your own tools and accounts, it’s not monitoring. It’s theatre.
This engagement exposed critical failures:
The “don’t get caught” constraint wasn’t a challenge. It was a reality check.
The client is now rewriting credential hygiene policies, auditing and locking down shared folders, rebuilding system images with unique local administrator passwords, and extending monitoring to include accounts used by their own security tools.
As their CISO put it:
“We thought our monitoring was comprehensive. Turns out it was just watching the front door while someone walked around the back, picked the lock, and made themselves at home.”
Assumed breach scenarios aren’t theoretical exercises. They’re the reality of modern attacks. Attackers don’t announce themselves. They move slowly, use your own tools, and blend into normal traffic.
If your security operations can’t detect lateral movement, credential abuse, and account misuse when someone’s actively trying to stay hidden, you’re not secure. You just haven’t caught anyone yet.
Contact CovertSwarm and let us show you what your monitoring misses.