Red Team engagements allow organizations to see how a determined adversary operates once inside their environment. The goal is to demonstrate how an attacker can escalate privileges, evade defences, and ultimately achieve business-impacting objectives such as ransomware deployment, theft of intellectual property, or Business Email Compromise (BEC).

This article provides an overview of the red team process, the tactics most commonly used by adversaries, and the lessons organizations can draw to strengthen their defences.

1. The Red Team and Attacker Process

Adversary activity can be expressed using the Cyber Kill Chain model, which describes a repeatable sequence of stages from initial reconnaissance through to the achievement of operational objectives.

1. The attacker gathers information about the target environment, including exposed internet-facing services, VPN gateways, email infrastructure, and employee targets for social engineering.
2. The attacker transmits the weaponized payload to the target by means such as phishing emails, voice social engineering, or exploitation attempts against internet-facing services.
3. The attacker exploits a vulnerability or user action to establish initial access, for example through remote code execution, authentication bypass or a successful credential capture.
4. Installation and Persistence. After achieving a foothold, the attacker consolidates access by registering backdoors, adding alternate authenticators, or establishing persistent sessions and credentials that survive routine remediation.
5. Command and Control. The attacker establishes reliable communications to manage the compromised environment and to stage follow-on activity, for example by using remote shells, tunnels, or stolen session tokens.
6. Actions on Objectives. The attacker performs internal reconnaissance, credential harvesting and privilege escalation, moves laterally to high-value assets, and then executes their final goals such as data exfiltration, ransomware deployment or business email compromise.

This “assume breach” mindset is at the core of modern red teaming and reflects how advanced threats operate.

2. Common Entry Tactics

Phishing and Spear Phishing

Phishing remains the most widely used method for initial access. Attackers create convincing emails that trick users into entering credentials on a fraudulent login page, accepting malicious MFA prompts, or downloading weaponized files.
Spear phishing is even more effective, as it leverages research on the target to create highly personalized messages.

Vishing (Voice Phishing)

Adversaries also exploit human trust over the phone. In a typical scenario, attackers impersonate IT staff or helpdesk operators and trick employees into resetting passwords, disclosing one-time passcodes, or approving MFA requests.

Credential Harvesting and VPN Access

Once credentials are obtained, attackers attempt to log in to corporate VPN portals and internal web services. Many organizations rely on username, password, and MFA for VPN access. If MFA can be bypassed, the attacker immediately gains a foothold inside the internal network.

3. MFA Bypass and Parallel Authentication

Multi-factor authentication is an important defense, but it is not infallible. Attackers use several methods to bypass or neutralize MFA:

• Token replay or session theft allows them to use valid session tokens without triggering MFA.
• MFA fatigue attacks rely on repeatedly sending push notifications until the user accepts one by mistake.
• Social engineering tricks helpdesk teams into resetting MFA settings or registering new devices.
• Compromised synchronization systems such as identity sync servers (e.g., Entra Connect) allow adversaries to manipulate authentication flows and add unauthorized authenticators.

In advanced scenarios, attackers can add a parallel authenticator to a compromised account. This involves modifying account attributes or shadow credentials so that a new key or device functions as an alternate MFA method. Once added, the attacker has a persistent method of access even if the legitimate user resets their password.

4. Internal Reconnaissance and Credential Hunting

Once connected to the internal network, attackers begin systematic reconnaissance.

• Domain enumeration with tools such as PowerView and BloodHound reveals domain admins, high-value groups, and misconfigured access control lists.
• Credential extraction is attempted through LSASS dumping, Kerberoasting, or the abuse of cached secrets. Tools such as Mimikatz remain popular, although heavily monitored.
• Clear-text password discovery is common on SMB shares, backup directories, and misconfigured scripts. These often provide a direct path to privileged accounts.
• Privilege escalation techniques include abuse of LAPS, unconstrained delegation, and DCSync attacks to obtain domain administrator credentials.

5. Final Objectives: Ransomware, Data Theft, and BEC

The end goals of an attacker are almost always financial or strategic.

• Ransomware operators encrypt critical systems and exfiltrate data to pressure organizations into paying ransom demands.
• Intellectual property theft allows competitors or nation-state actors to gain access to source code, designs, and research.
• Business Email Compromise (BEC) is increasingly common, where attackers send fraudulent emails from legitimate corporate accounts instructing suppliers or clients to transfer payments to attacker-controlled bank accounts.

6. Defensive Lessons and Controls

Red team exercises are valuable not because they compromise systems, but because they highlight where defenses can be improved. The following measures are essential:

• Implement phishing-resistant MFA such as hardware tokens or FIDO2 keys for all privileged accounts.
• Harden and monitor identity synchronization appliances to prevent compromise.
• Restrict permissions on sensitive Active Directory attributes and enforce strict ACL hygiene.
• Continuously scan for clear-text credentials in file shares, scripts, and backups.
• Implement strict financial controls such as call-back verification and dual authorization for any change in supplier bank details.
• Detect advanced attack paths by monitoring for Kerberoasting, ticket forging, and attempts to modify authentication attributes.

Conclusion

Red Teaming is more than simply breaking into systems. It is about simulating real-world attacker behaviour to help organizations validate detection capabilities, strengthen processes, and ensure that business operations are resilient in the face of evolving threats.

By understanding the attacker playbook, organizations can better anticipate, detect, and defend against the tactics used not only in red team exercises, but also in genuine attacks.