<div dir="ltr">Nice product plug :)<div><br></div><div>If I'd be a defensive CISO and someone would pentest my org and show me how he got domain admin, I'd tell them, "that's really great, but if you'd have a normal C2 working for some period of time, my crystal-ball based anomaly detection system would have picked it up and we'd IR/hunt you down" and the red team bros would have nothing to reply because, they, well didn't have a C2 going for a while and I would keep my bonus.</div><div><br></div><div>It is in the interest of the auditor/red-teamer to do this as much as it is in the interest of a genuinely concerned customer who wants to know how good they are.</div><div><br></div><div> </div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><br clear="all"><div><div class="gmail_signature">--<br>Konrads Smelkovs<br>Applied IT sorcery.</div></div>
</div>
<br><div class="gmail_quote">On Wed, Oct 28, 2015 at 1:59 AM, Kristian Erik Hermansen <span dir="ltr"><<a href="mailto:kristian.hermansen@gmail.com" target="_blank">kristian.hermansen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font size="2"><span style="background-color:rgba(255,255,255,0)">es that would be ideal but unfortunately there is always pushback due to perception of privacy impact to staff / employees and also risk of accidentally nuking the entire organization due to "unexpected changes". You can try though and I wish you luck getting executives to sign off on that risk. Or you could just buy Immunity Innuendo for $50K or Cobalt Strike with beacon for about 1/10th that and get close to "APT simulation"...</span></font><div class="HOEnZb"><div class="h5"><div><font size="2"><span><br></span></font><br>On Tuesday, October 27, 2015, Konrads Smelkovs <<a href="mailto:konrads.smelkovs@gmail.com" target="_blank">konrads.smelkovs@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>In my view, security improvements in organisations are driven by breaches and red team exercises/pentests. While breaches give hard lessons learned, red teams often don't and that's because we reward red teamers for a "domain admin" rather than longer term persistent access. </div><div><br></div><div>This is what I call reach for the sky/rocket launch: you get domain admin, get a screenshot of CEO's e-mail and declare job done. In reality, a good simulation would be to "stay airborne" - take a screenshot of CEO's e-mail/exfil PST every week.</div><div><br></div><div>That's not to say that there isn't a scenario where desctruction of assets is the end-goal of an attacker, but even then, I would argue that red teamers ought to put an .exe in autoruns for every PC they wish to have done a simulated wipe.</div><div><br></div><br clear="all"><div><br clear="all"><div><div>--<br>Konrads Smelkovs<br>Applied IT sorcery.</div></div>
</div>
</div>
</blockquote></div><br><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Regards,<br><br>Kristian Erik Hermansen<br><a href="https://www.linkedin.com/in/kristianhermansen" target="_blank">https://www.linkedin.com/in/kristianhermansen</a><br><a href="https://google.com/+KristianHermansen" target="_blank">https://google.com/+KristianHermansen</a><br>
</font></span></blockquote></div><br></div>