Back to blog

Automated Playbooks: Chaining Attack Modes for Unattended Engagements

April 30, 2026 7 min read Yves Soete

TL;DR

Automated playbooks let the Phantom execute chained attack sequences -- recon, credential harvesting, wireless attacks, and exfiltration -- unattended for days. Define mode schedules and time windows before deployment, and the device runs the entire engagement autonomously while you monitor results from the dashboard.

The traditional drop box workflow has a fundamental problem: it requires an operator. You plant the device, establish a reverse tunnel, and then you -- a human being with a day job, a sleep schedule, and other engagements -- are responsible for manually starting and stopping attack modes, deciding when to pivot, and remembering to exfiltrate data before the device is discovered or the battery dies. Decisions made at 2 AM while half-asleep are bad decisions. SSH sessions that drop at 3 AM because your home ISP rebooted mean the device sits idle until you wake up and reconnect.

Automated playbooks remove the operator from the execution loop entirely. You define the attack sequence, the time windows, and the exfiltration schedule before deployment. The Phantom executes the playbook unattended, and you monitor results from the dashboard. The device does not need you to be online, awake, or even in the same country.

What Is a Playbook?

A playbook is a chained sequence of attack modes with time windows, transition conditions, and exfiltration schedules. Each step defines which mode to run, when to start it, when to stop it, and what to do with captured data. Steps can run sequentially, overlap, or be scheduled independently on recurring windows.

A playbook is not a script. It is a declarative configuration that the Phantom's scheduler interprets and executes. You define what should happen and when; the device handles the mechanics of starting processes, managing radio interfaces, coordinating between modes that share hardware resources, and recovering from errors.

What Does a Full Engagement Playbook Look Like?

Consider a five-day physical engagement against a corporate office. You deploy the Phantom on Monday morning. Here is a realistic playbook:

  • Phase 1 -- Reconnaissance (Monday 09:00 - Monday 09:30): Scope mode runs for 30 minutes immediately after activation. Passive capture on all interfaces to map the network environment, identify VLANs, enumerate hosts, and catalog WiFi SSIDs. No packets transmitted. Results exfiltrated at the end of the phase.
  • Phase 2 -- Credential Harvesting (Monday 09:30 - Friday 18:00, business hours only): Venom mode runs 08:00-18:00 Monday through Friday. Responder, LLMNR/NBT-NS poisoning, NTLM relay, and mitm6 run during hours when employee workstations are active and generating name resolution traffic. The mode deactivates automatically outside business hours to avoid generating anomalous off-hours traffic.
  • Phase 3 -- Wireless Attacks (daily lunch and end-of-day windows): Siren mode runs 11:30-13:30 and 16:30-18:30 daily. Evil twin APs clone the corporate SSID during periods when employees are most likely to be on personal devices or reconnecting after leaving the building. Captive portal credential capture and WPA handshake collection run in parallel.
  • Phase 4 -- Exfiltration (hourly): Every 60 minutes, the Phantom packages all newly captured loot -- NTLMv2 hashes, cleartext credentials, PCAP segments, handshake files -- encrypts the bundle, and pushes it to the dashboard via the 4G relay. The operator sees results arrive throughout the day without any manual action.

This entire sequence runs unattended for five days. The operator checks the dashboard periodically to review captured data and can adjust the playbook remotely if needed, but the device does not require active management.

How Do Per-Mode Time Windows Work?

Each mode in a playbook has independent scheduling. Time windows are defined as recurring intervals with day-of-week and hour-of-day granularity. Some practical patterns:

  • Venom 08:00-18:00 weekdays: Credential harvesting only during business hours. LLMNR/NBT-NS poisoning blends with normal name resolution traffic. Running it at midnight on Saturday would be trivially detectable.
  • Siren 12:00-13:00 and 17:00-19:00 daily: Evil twin attacks during lunch and end-of-day when employees disconnect from corporate WiFi and reconnect, or use personal devices. Captive portal capture is most effective when people are in a hurry and not scrutinizing WiFi prompts.
  • Scope 24/7: Passive reconnaissance generates no traffic, so it can run continuously without risk of detection. Ongoing passive capture also picks up off-hours traffic patterns that reveal infrastructure details -- backup jobs, automated scans, server-to-server communication that is hidden during the noise of business hours.
  • Fang 08:00-20:00 daily: Bluetooth and BLE attacks run during extended business hours when employee phones, badges, and IoT devices are present and active.

The scheduler handles mode conflicts automatically. Siren and Scope both use WiFi radios, so the scheduler coordinates interface access. If two modes are scheduled to overlap and they require exclusive access to the same hardware, the scheduler resolves the conflict based on mode priority defined in the playbook.

How Does Auto-Exfiltration Work?

Exfiltration is configured independently from attack modes. You define a cadence -- every 30 minutes, every hour, every 4 hours -- and the Phantom packages, encrypts, and pushes all new loot to the dashboard on that schedule. You can also configure event-driven exfiltration: push immediately when specific high-value items are captured, such as cleartext credentials or domain admin hashes.

Auto-exfiltration solves two problems. First, it ensures that captured data reaches you even if the device is discovered and removed before you can retrieve it. If the Phantom has been exfiltrating hourly for three days and gets found on day four, you have three days of complete results already in the dashboard. Second, it lets you make tactical decisions during the engagement based on real results. If you see domain admin NTLMv2 hashes arriving in the dashboard on day one, you might adjust the playbook to focus on lateral movement preparation rather than continuing broad credential harvesting.

Why Remove the Operator from the Loop?

The playbook model inverts the traditional drop box workflow. Instead of the operator driving the device, the device drives itself and the operator monitors. This has several practical benefits beyond the obvious convenience:

  • Consistency: A playbook executes the same way every time. It does not forget to start a mode, does not fat-finger a command, and does not accidentally leave Venom running over the weekend.
  • Time zone independence: The playbook runs on the device's local clock, synchronized with the target's business hours. The operator can be anywhere in the world. There is no need to set alarms to SSH in at 8 AM in the target's time zone.
  • Reduced C2 traffic: A manually operated device requires constant SSH sessions. A playbook-driven device only generates brief 4G bursts during exfiltration. Less C2 traffic means a smaller operational footprint.
  • Parallel engagements: When devices operate autonomously, a single operator can manage multiple concurrent engagements. Plant devices at three sites, activate playbooks, and monitor all three dashboards. This is impossible with manual operation unless you clone yourself.

What Does the Deployment Workflow Look Like?

With playbooks, the engagement workflow becomes a clean sequence with minimal operator involvement during the active phase:

  • Pre-engagement: Configure the playbook based on engagement scope, target intel (ideally from Scout recon), and rules of engagement. Define mode sequences, time windows, and exfiltration schedule. Load the playbook onto the Phantom.
  • Deployment: Physically plant the device. Connect it to the target network. Walk away.
  • Activation: From the dashboard, verify 4G connectivity, confirm network link status, and activate the playbook. The Phantom begins executing the sequence autonomously.
  • Monitoring: Review exfiltrated loot as it arrives. Adjust the playbook remotely if findings suggest a different approach. The device continues executing between your check-ins.
  • Extraction: When the engagement window closes, trigger the kill switch to stop all activity. Retrieve the hardware if possible. If retrieval is not possible or not safe, trigger self-destruct remotely and write off the hardware cost.

Engagement Report Generation

Everything the Phantom captures is structured and timestamped. Credentials include the protocol, source IP, target service, and capture time. Hashes include the hash type, associated username, and the attack mode that captured them. PCAPs are segmented by time window and mode.

The dashboard aggregates this structured loot into engagement reports. Instead of manually correlating Responder logs, PCAP files, and handshake captures from a Pi's filesystem, you get a consolidated view of everything captured during the engagement, organized by attack mode, time window, and data type. This structured output feeds directly into your engagement report, with timestamps and provenance for every finding. The hours you used to spend cleaning up and correlating drop box output become time you spend on analysis and recommendations.

Ready to upgrade your engagements?

Blacksight Phantom and Scout ship with free dashboard and relay. No subscriptions.

Order Now More Articles