Red team shovels snow, drops a Raspberry Pi, wins domain admin in two weeks
Physical access plus an oddly exposed port let attackers map Active Directory and escalate through certificate services.

Kristopher Johnson, an offensive security consultant at Echelon Risk + Cyber, and teammate Michael used a maintenance door left open to gain access during a winter client test. By hiding a Raspberry Pi in a conference room, they stayed connected for two weeks, mapped Active Directory, exploited ADCS weaknesses, and achieved domain administrative access.
Welcome back to PWNED, where we document security failures that start in the real world, not in malware labs. This week’s story is a reminder that “defense in depth” cannot ignore the front door. In a winter security test at a client’s office, red teamers Kristopher Johnson (an offensive security consultant at Echelon Risk + Cyber in 2023) and Michael walked in through a maintenance door left open and eventually used a Raspberry Pi they plugged into an Ethernet port to break deeper into the network.
The jaw-dropper is the timeline and the outcome: the Raspberry Pi remained plugged in for two weeks, long enough for Johnson’s team to connect to the company’s Active Directory, locate domain controllers, run password spraying, enumerate certificate services, then exploit certificate weaknesses to gain domain administrative access. They weren’t cyber criminals in hoodies. They were professional red teamers. But the network did not care.
Here’s how the physical layer turned into an access layer. Johnson and Michael were called in to challenge security at a client’s office, with Dahvid Schloss supervising remotely. A maintenance crew door was open for winter maintenance, so they walked through it. A woman confronted them in the mail room and asked what they were doing there. The two testers talked to the maintenance crew, said they were new IT employees without working badges, and asked for access. When Michael offered to help shovel snow because they had almost slipped on ice, the maintenance crew accepted the help. While Michael shoveling made the interaction feel normal, Johnson asked the maintenance folks to let him in upstairs to set up Michael’s laptop.
That is the exploit chain in human form. Once inside, Johnson explored for a spot to connect his Raspberry Pi. He first tried to plug into an Ethernet port in the AV closet, but network access control prevented the Pi from connecting. The Pi had an LTE radio too, but it could not connect from the closet either. So Johnson moved the device into the middle of the conference room and found an active network port that did not have network access control enabled. He also realized the obvious downside: a Pi in the open could be discovered by anyone who came into the conference room. To reduce that risk, he used trash cans to hide it. Getting out afterward was also handled by the same physical dynamics, with the testers stuck trying to leave the front door, then exiting through the maintenance entrance where the crew swiped them out.
It took some detective work to catch them, but the breach opportunity was already real. The next day, Johnson learned the security breach had been detected. When the red teamers came in to meet with their contact, the head of security confronted them. The testers had been “caught” because someone from maintenance went up to the IT department to thank the IT team for Michael’s shoveling help. But the IT team had no record of new employees named Michael or Kristopher, which raised suspicion. Security personnel also looked at camera footage tracking their movements and tried to get information on the license plate from Johnson’s rental car. Despite all that, they never found the Raspberry Pi during the two-week window.
Meanwhile, Johnson’s team used that persistent foothold to do the work that matters. During the test, they connected to the company’s Active Directory, identified where the domain controllers were, and started password spraying. They tried the password “winter2023!” and got 50 or 60 hits among employees. They then used those credentials to map the rest of the network, including network shares. Toward the end, they enumerated certificate services, specifically ADCS (Active Directory Certificate Services). They found eight templates open to ESC1 and ESC4 vulns, and the certificate authority vulnerable to ESC8. With those issues, they exploited weaknesses to gain domain administrative access.
This is the part that should make boards and CISOs sit a little straighter. Password spraying “works” in practice only when the organization has real user accounts that can be guessed or guessed badly but still succeed often enough, and the story shows a password that landed with dozens of hits. It also shows how certificate services can become the escalation bridge once attackers can enumerate and exploit ADCS misconfigurations and vulnerabilities. Even if you assume your perimeter is locked down, the combination of (1) physical access that allows bringing in a network device and (2) at least one network port without network access control is enough to turn a test of “where people can walk” into a test of “where attackers can log in.”
And the human factor is spelled out by Schloss: if someone looks and acts like they belong in a space, most people will treat them that way. He described it as “the ski mask bias,” a contrast to the Hollywood idea that crime looks only like visible danger. In this case, the maintenance crew treated “new IT employees without badges” as credible because the testers performed a friendly, role-consistent task, shoveling snow, and asked for access in a way that did not trigger the right alarms. The second-order implication is that training alone is not enough unless it changes what teams do when they see “I’m new here, no badge, can you swipe me?” The maintenance entrance, conference room port controls, password policy, and multi-factor authentication all show up as concrete weaknesses, not abstract wishes.
There’s no single regulator here, but the control failures map neatly to what many compliance frameworks and internal governance teams expect: limit physical-to-network pathways, segment networks, harden identity, and ensure MFA is on for accounts that can be abused. The most strategic lesson for executives is that red team outcomes like this are not “gotcha stories.” They are operational risk signals. If your organization can be walked into in winter and a Raspberry Pi can stay connected for two weeks on an unguarded port, then your incident response might be preparing for the wrong kind of first alert. The first incident starts at the maintenance door, and by the time the SOC notices, domain admin access may already be on the table.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business

Comcast shares jump 25% as it plans to split NBCUniversal and Sky
The tax-free spin-off could reshape focus, funding, and competition across media and tech for years.

Bungie cuts most Destiny 2 staff as Sony says Marathon still matters
Herman Hulst confirms layoffs affecting most Destiny and some Marathon teams after Bungie admits Destiny fell short.

SK Hynix jumps 11% after seeking up to $29.4B in Nasdaq listing
The chip giant filed for a Nasdaq listing plan that could raise $29.4 billion, instantly reshaping investor expectations.

