No credentials. No map of the network. No privileged access.
Just a rogue device placed inside the corporate network, and five days to see how far it could go.
By Friday afternoon, we had Domain Admin.

Getting a signal out
The objective: find out whether the organization could detect and respond to an unauthorized device on their own network.
Outbound connections were restricted. The obvious routes were blocked. So before anything else, we needed a way to communicate at all.
We found one. Traffic left the network looking like nothing worth investigating. Nothing that would stand out on a network monitor.
No alerts. No detections. Not for the device, not for the channel, not for anything that followed.
Just a comforting silence.
Monday to Thursday
Four days of observation. Mapping what was reachable, watching how authentication moved across the network, and noting where it placed too much trust in itself.
Dozens of credentials were captured across the week. Junior staff through to senior principals and project managers. Several were cracked. That opened internal shared folders and sensitive data.
No starting credentials. No inside knowledge. A device on the network, listening. That was enough.
Friday
On Friday, a vulnerability surfaced in a core part of the organization’s authentication infrastructure. The kind of weakness that exists quietly in certain environments, well documented, rarely acted on.
The first attempt to exploit it didn’t land cleanly. Real environments have a way of disrupting clean attack paths.
So we paused. Made a coffee. Pivoted.
A different route to the same destination. By the end of Friday, we had gone from a rogue device with nothing to full domain-level compromise.
Nobody raised a flag all week.
What five days of silence actually means
This wasn’t about sophisticated exploits. It was about patience, observation, and using the network’s own trust against it.
The device was never detected. The outbound channel was never flagged. The credential captures went unnoticed. Domain Admin was reached before the long weekend.
If an unauthorized device can sit quietly on your network for a week, work its way through your authentication layer, and reach full domain control without triggering a single alert, your detection capability is not ready for a real threat.
The next move was to stay quiet and map exposure to high-value systems.
Contact CovertSwarm to find out what a patient attacker could do inside your network before anyone noticed.