Sherlocked Security – Full-Scope Red Team Exercises
Simulate Real-World Cyber Attacks to Test Your Organization’s Security Resilience
1. Statement of Work (SOW)
Service Name: Full-Scope Red Team Exercises
Client Type: Large Enterprises, Financial Institutions, Government Agencies
Service Model: End-to-End Adversary Simulation
Compliance Coverage: NIST 800-53, ISO 27001, SOC 2, PCI-DSS, GDPR
Testing Types:
- Adversary Simulation
- Penetration Testing
- Social Engineering
- Physical Security Testing
2. Our Approach
[Reconnaissance] → [Initial Exploitation] → [Lateral Movement] → [Persistence] → [Data Exfiltration] → [Risk Mapping] → [Reporting & Walkthrough] → [Retesting & Certification]
3. Methodology
[Initial Recon] → [Vulnerability Scanning] → [Social Engineering] → [Physical Security Testing] → [Exploitation & Lateral Movement] → [Post-Exploitation] → [Data Exfiltration Simulation] → [Final Report & Walkthrough]
4. Deliverables to the Client
- Full-Scope Red Team Exercise Report
- Statement of Work (SOW)
- Methodology Document
- Technical Report including:
- Attack Path Overview
- Exploited Vulnerabilities
- Risk Assessment & Impact Analysis
- Exfiltrated Data (if applicable)
- Exploit Attempts & Outcomes
- Remediation Recommendations
- Risk Visualizations & Attack Path Diagrams
- Live Report Walkthrough (Optional Call)
- Revalidation & Retesting
- Final Security Certificate (Post-Fix)
5. What We Need from You (Client Requirements)
- Access to target environment (production/staging)
- Points of contact for key stakeholders
- Information on existing security measures
- Whitelisting of IPs or tools if required
- NDA and Scope approval prior to kickoff
6. Tools & Technology Stack
- Cobalt Strike / Brute Ratel
- Metasploit Framework
- BloodHound / SharpHound
- Mimikatz / Rubeus / Seatbelt
- Impacket Suite
- GoPhish / Evilginx
- HID Proxmark / RFID Tools
- Custom Tools / Scripts
7. Engagement Lifecycle
1. Discovery Call → 2. Scope Finalization → 3. Proposal + NDA + SOW → 4. Kickoff → 5. Testing Phase (4–6 weeks typical) → 6. Draft Report → 7. Review Call → 8. Final Report Delivery → 9. Revalidation & Certification
8. Why Sherlocked Security?
| Feature | Sherlocked Advantage |
|---|---|
| Realistic Threat Simulation | APT-style, stealthy, end-to-end attack paths |
| Custom Campaign Design | Tailored to client infra, industry, and threat |
| Full-Spectrum Tactics | Physical, technical, human, and insider threats |
| Risk-Focused Reporting | Maps to impact, likelihood, business risk |
| Executive + Technical Outputs | For both CXOs and technical security teams |
| Revalidation Support | One round of retest included |
9. Real-World Case Studies
Insider Threat: Finance Department Access Abuse
Issue: An internal employee used shared credentials to exfiltrate sensitive data undetected.
Impact: Confidential spreadsheets and payroll data leaked to external actors.
Our Role: Simulated insider abuse scenario, delivered endpoint detection improvement plan.
Outcome: SOC implemented behavioral alerts and access rotation policy.
Physical Breach: Data Center Access Test
Client: Telecom Infrastructure Provider
Findings: Badge cloning and piggybacking allowed physical access to core server racks.
Outcome: Physical access controls updated, 2FA introduced for entry points.
10. SOP – Standard Operating Procedure
- Discovery & Planning
- Reconnaissance (Passive & Active)
- Exploitation (Initial Access)
- Internal Compromise & Lateral Movement
- Data Targeting & Extraction Simulation
- Physical Breach Attempts (if in scope)
- Detection & Response Testing
- Draft Report Delivery
- Client Feedback
- Final Report + Fix Validation
- Closure & Certificate Issuance
11. Red Team Checklist
1. Reconnaissance
- Passive domain and subdomain enumeration
- Open-source intelligence (OSINT) on employees
- Identify external attack surface (DNS, IPs, ports)
- Gather tech stack & software fingerprinting
- LinkedIn employee scraping
- Pastebin/code repo/email leak search
- WHOIS and certificate transparency lookups
- Email address pattern enumeration
- Shadow IT discovery (forgotten assets)
- Internet-exposed dev/test environments
2. Initial Access
- Spear phishing with malicious attachments
- Spear phishing via credential harvesting pages
- Weaponized documents (Excel, Word macros)
- Drive-by download via browser exploit
- USB drop (malicious HID or storage devices)
- Watering hole attack simulation
- Exploiting public-facing application CVEs
- VPN/RDP brute-force or credential stuffing
- Rogue wireless AP setup
- Compromised supply chain vector (optional scope)
3. Execution
- PowerShell and script-based execution
- Windows Management Instrumentation (WMI)
- Command line and scripting language abuse
- DLL side-loading
- Scheduled task execution
- HTA-based payload execution
- LOLBins abuse (mshta, regsvr32, etc.)
- Macro-based execution in Office documents
4. Persistence
- Registry Run/RunOnce keys
- Scheduled task creation
- Service creation/modification
- Startup folder shortcut insertion
- Application shimming
- Logon script modification
- WMI Event Subscriptions
- COM hijacking
- Web shell backdoors
- Golden/Silver ticket persistence (Kerberos)
5. Privilege Escalation
- Exploiting vulnerable services (unquoted paths, weak permissions)
- DLL hijacking for privilege elevation
- Bypass UAC techniques
- Token impersonation
- Kerberoasting / AS-REP roasting
- CVE-based escalation (e.g., CVE-2021-1732)
- Named pipe impersonation
- User account misconfiguration abuse
6. Defense Evasion
- Obfuscated PowerShell scripts
- Fileless payload delivery
- Encoded commands (Base64, Hex)
- Masquerading (renaming binaries to trusted names)
- Clear security logs (event log wiping)
- Disable security tools (AV, EDR)
- Process injection and hollowing
- Unhooking security APIs
- Avoid command history/logging
- Packaged tools with custom signatures
7. Credential Access
- Dumping LSASS memory
- Extracting SAM & SYSTEM hives
- Credential extraction via Mimikatz/Rubeus
- Dumping browser-stored credentials
- Scraping config files for API keys/secrets
- Keylogger installation
- Credential phishing using fake login portals
- NTLM hash relay or capture (Responder/Impacket)
8. Lateral Movement
- Pass-the-Hash/Pass-the-Ticket
- Remote execution via PsExec
- WMI and WinRM-based lateral moves
- RDP pivoting
- Admin share access (C$, ADMIN$)
- SSH pivot using stolen keys
- Token impersonation for access escalation
- Golden ticket or DCSync techniques
- Pivot through jump servers or proxies
9. Command & Control (C2)
- HTTP(S)-based C2 (Cobalt Strike, Brute Ratel, etc.)
- DNS tunneling for beacon traffic
- Custom C2 channels using legitimate platforms (Slack, Dropbox)
- Domain fronting with CDN abuse
- Jitter and sleep configuration testing
- Encrypted channel validation
- Reconnect-on-failure behavior
- In-memory only beacons
- Use of callback domains resembling legit infra
- Application-layer protocol abuse (WebSocket, SMTP)
10. Discovery
- Domain trust and forest enumeration
- Active Directory users, groups, and computers
- Privileged group membership mapping
- Local admin discovery on hosts
- Network topology mapping
- Firewall and ACL reconnaissance
- Cloud account/service discovery
- Identify backup servers or management planes
- Asset naming convention analysis
11. Data Collection & Exfiltration
- Locate business-critical data (PII, PCI, IP)
- Screenshot capture of sensitive interfaces
- Clipboard data theft
- Outlook PST archive exfiltration
- Credential vault theft (e.g., KeePass, LastPass)
- Compress data archives for transfer
- Exfil via HTTP/S, DNS, email, or removable storage
- Simulate data staging on intermediate host
- Monitor outbound DLP triggers (if in scope)
12. Insider Threat Simulation
- Use of valid user credentials for internal access
- Access escalation via internal misconfigurations
- Circumvent data access controls
- Modify internal documents or records
- Abuse of roles with excessive privileges
- HR/Finance/Sales data access testing
- Email spoofing or internal phishing
- Simulate rogue contractor or disgruntled employee behavior
13. Physical Security (if in scope)
- Tailgating employees into office premises
- Badge cloning or bypassing physical access controls
- Dropping USBs in high-traffic zones
- Unlocking unattended terminals
- Compromise via exposed Ethernet ports
- Accessing unsecured network closets or data centers
- Dumping credentials from unlocked machines
- Connecting rogue WiFi APs or LAN taps
14. Social Engineering
- Phishing (email, SMS, voicemail pretexting)
- Credential harvesting via cloned login portals
- Impersonation calls to helpdesk or IT
- Physical drop tests (USBs, documents)
- Fake IT staff interaction to gain access
- Watering hole targeting via known browsing behavior
- Slack/Teams-based social exploits
- Email spoofing of executives or vendors
15. Detection & Response Evaluation
- Time to detect initial compromise
- Alert accuracy and false positive/negative rates
- Correlation rule effectiveness
- SIEM visibility into attack chains
- SOC response workflow (investigate, escalate, contain)
- Use of threat intelligence to enrich alerts
- Endpoint telemetry visibility (process, command line, memory)
- Response timeline construction accuracy
- Cross-team communication efficiency
16. Reporting & Remediation
- Document full attack paths
- Map each tactic to MITRE ATT&CK
- Highlight detection gaps and missed alerts
- Business risk aligned with each finding
- Visual diagrams of lateral movement and privilege escalation
- Recommendations with technical and strategic fix plans
- Metrics: time-to-compromise, time-to-detect, time-to-contain
- Track residual access/persistence vectors
- Final retest of patched vulnerabilities
- Summary for technical, management, and board-level audiences