All posts

Red teamers shoveled snow, got domain admin access

Huma ShaziaJuly 3, 2026 at 7:47 AM5 min read
Red teamers shoveled snow, got domain admin access

Key Takeaways

Red teamers shoveled snow, got domain admin access
Source: www.theregister.com
  • Red teamers gained building access by offering to help maintenance crew shovel snow
  • A hidden Raspberry Pi stayed undetected for two weeks, enabling full domain admin compromise
  • Password spraying with 'winter2023!' yielded 50-60 employee account hits

Two professional red teamers walked into a client's building through an open maintenance door, helped shovel snow, and walked out with a hidden Raspberry Pi plugged into the corporate network. Two weeks later, they had domain admin access. The client never found the device.

The story, shared by Kristopher Johnson and his then-manager Dahvid Schloss at Echelon Risk + Cyber, illustrates how physical security failures cascade into full network compromise. It happened in 2023. The lessons still apply.

Advertisement

How did they get inside?

Johnson and a colleague named Michael arrived at the target office in winter. The maintenance crew had propped open a door. They walked through it into the mail room, where an employee immediately challenged them.

Their cover story: new IT employees without working badges. They mentioned nearly slipping on ice and offered to help shovel. The maintenance team accepted.

Michael shoveled. Johnson asked maintenance to let him inside so he could "set up Michael's laptop." They did. He was now free to roam the building.

Planting the Raspberry Pi

Johnson's goal was simple: plug a Raspberry Pi into the network, then attack remotely. His first attempt failed. The AV closet Ethernet port had network access control enabled. The Pi's LTE radio couldn't reach a signal from inside the closet either.

He moved to a conference room. One network port there had no access control. But the Pi would be visible to anyone walking in.

His solution: trash cans. He arranged them to hide the device. It worked.

Getting out proved harder than getting in. The front door required a badge swipe. Strangers refused to help. But the maintenance entrance? They swiped him out without hesitation. He waited in his car while Michael finished shoveling.

The breach was detected. The Pi was not.

The next day, building security confronted Johnson and Michael. Someone from maintenance had gone to the IT department to thank them for Michael's help. IT had no record of new employees named Michael or Kristopher.

Security reviewed camera footage. They traced Johnson's rental car and tried to pull license plate information. They suspected something was wrong.

But they never found the Raspberry Pi. It stayed plugged in for two weeks.

Advertisement

From Ethernet port to domain admin

With network access, Johnson's team connected to Active Directory, located the domain controllers, and started password spraying accounts. They tried "winter2023!" as a password.

It worked on 50 to 60 accounts.

"So we used those credentials to kind of map out the rest of the network," Johnson told The Register. "Network shares and things like that and then, towards the end of the test, we enumerated the certificate services."

They found eight Active Directory Certificate Services templates vulnerable to ESC1 and ESC4 attacks. The certificate authority itself was vulnerable to ESC8. They exploited these holes to gain full domain administrative access.

A janitor found the Raspberry Pi two weeks after the initial breach. By then, the red team had already won.

Why helpfulness is a security risk

This attack worked because people wanted to help. The maintenance crew saw two guys who almost slipped on ice and offered to pitch in. That reads as friendly, not suspicious.

Schloss noted that if someone looks and acts like they belong, employees default to trust. That instinct is exploitable. Real attackers know this. According to Verizon's 2023 Data Breach Investigations Report, 74% of breaches involve human elements including social engineering.

The physical access control failed at multiple points. The maintenance door was propped open. Strangers were escorted into secure areas. No one verified the "new IT employees" story with actual IT. The conference room network port had no access control. Trash cans provided adequate cover for foreign hardware.

What should the company have done?

Train everyone, not just security staff. The maintenance crew had no reason to suspect a social engineering attempt. They were being helpful. But they should have known to verify badge claims with security or IT before granting access.

Enforce network access control everywhere. The AV closet had it. The conference room did not. That inconsistency created the opening.

Assume physical access equals network access. Once someone is inside with a device, they can plant hardware. Sweep regularly for unauthorized devices. Monitor for new MAC addresses on the network.

Password policies matter. "Winter2023!" is exactly the kind of seasonal, predictable password that spraying attacks target. It met typical complexity requirements. It was still terrible.

ℹ️

Logicity's Take

The company did several things right. Network access control existed on some ports. Security responded quickly once suspicion arose. They reviewed camera footage and investigated the rental car. But partial security is often worse than it looks, because it creates false confidence. The single uncontrolled conference room port undid the rest. For companies evaluating their own posture, red team assessments like this one, typically priced from $20,000 to $100,000+ depending on scope, reveal gaps that internal audits miss. Firms like Echelon Risk + Cyber, Bishop Fox, and Coalfire all offer physical penetration testing alongside network assessments.

Frequently Asked Questions

What is a red team in cybersecurity?

A red team is a group of security professionals hired to simulate real attacks against an organization. They test physical security, social engineering defenses, and network vulnerabilities to find holes before actual attackers do.

How do attackers use social engineering to gain physical access?

Attackers exploit human tendencies like helpfulness and trust. Common tactics include tailgating through doors, pretending to be employees or contractors, and offering to help with tasks like moving boxes or shoveling snow to build rapport.

What is password spraying?

Password spraying tries a single common password against many accounts simultaneously. Unlike brute force attacks on one account, spraying avoids lockout thresholds while still finding accounts with weak passwords like 'Winter2023!'

What is Active Directory Certificate Services vulnerability ESC1?

ESC1 is a misconfiguration in ADCS where certificate templates allow requesters to specify arbitrary Subject Alternative Names. Attackers can request certificates impersonating other users, including domain admins.

How can companies prevent rogue devices on their network?

Enable 802.1X network access control on all ports, not just some. Monitor for new MAC addresses. Conduct regular physical sweeps for unauthorized hardware. Segment networks so rogue devices have limited reach.

Also Read
Levi's builds a 'super agent' to unify HR, finance, and IT

How enterprises are centralizing IT control, including security

ℹ️

Need Help Implementing This?

If this story made you wonder about your own physical and network security posture, consider engaging a red team assessment. Logicity can connect you with vetted security consultants. Reach out at hello@logicity.in.

Source: www.theregister.com

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.

Related Articles