As the Offensive Security Team, we do our best to fly below the radar on penetration testing engagements. But yes, sometimes we get caught! Here's the top three things that get us busted.
1. Heuristic Analysis in EDR - Jim from Accounting doesn't have a use case for, or normally use, Powershell or cmd. In fact, he's never opened anything other than MS Office and Chrome. So why's he doing it now?
2. MFA/Zero Trust Arch - We got some creds. Nice. Now let's try to pivot to another machine on the network. Uh oh, the org is using something like Zero Networks to perform micro-segmentation and an additional MFA step is required. Booooooo.
3. Canaries - You can use these in Office documents, as AWS tokens, and many more. You name a file something like "SuperSecretPasswords.docx". You know, something that an attacker just wouldn't be able to NOT open. When it opens - BANG! The canary is triggered and the defenders are alerted.
You can generate your own canary tokens at canarytokens.org and Thinkist has an excellent enterprise program.
Penetration testing is a fantastic way to validate all of that budget spend on controls and show that what you've implemented is working.
