Defense and military network operations center around the age-old game: establishing long-term footholds deep inside a network. In this talk, we will discuss specific techniques and tactics observed while providing defensive incident response services to organizations compromised by foreign intelligence and defense agencies. The discussion will also incorporate the release and open-sourcing of several private projects used to identify pass-the-hash/impersonation attacks, including: a set of network monitoring daemons known as breachbox, part of which was funded by DARPA's Cyber Fast Track program; and an open-source tool and blueprint to help trojanize your own network to monitor and detect adversarial activity.