1. A penetration tester sends a carefully crafted phishing email to five employees. One employee clicks the link, a payload is executed, and the tester receives a reverse shell from the employee's workstation. This is the first access the tester has gained to any internal system in the engagement.
2. From a compromised workstation, the tester uses Mimikatz to extract password hashes from memory, then uses those hashes to authenticate to the HR server, the finance file server, and ultimately the domain controller — none of which required additional exploitation because the captured credentials were valid across all systems.
3. After compromising the domain controller, the tester creates a hidden administrator account, installs a scheduled task that runs a callback script every 30 minutes, and verifies that the default password on a service account has never been changed. All three mechanisms continue to provide access one week after the engagement's active phase ends.
4. The tester has compromised a workstation in the corporate network. The workstation cannot directly reach the manufacturing control network — a separate VLAN with firewall rules preventing direct access. However, the workstation has an authorized connection to a SCADA management server that bridges both VLANs. The tester routes their attack traffic through this management server to reach control systems that were architecturally designed to be unreachable from the corporate network.