There will be customers who wouldn’t want you to become domain admin…
…While becoming domain admin is an admirable milestone, not every customer would want you to become domain admin. Here’s why.
- Regulation is still the driving force behind the pentesting industry. For some customers, it is a hygiene thing. For most of them, though, it is a checkbox that must be ticked (we get our environment tested every quarter, no vulnerabilities, we are secure, etc). They won’t be happy when you become domain admin. No happy customer, no repeat business, no job!
- Then there are customers who would ask - “that’s ok. Tell me what is the impact? Why should I worry about you becoming domain admin? I have SOC, EDR, XDR, yeh-DR, wo-DR…”. Before you hit the snooze button, remember this customer. This customer will challenge you. And this challenge is different from the technical duels that you have with your buddies over lunch. ‘Agree to dis-agree’ won’t help here. Your attack narrative must have post-exploitation scenarios (leadership email compromise, setting up backdoor AD or VPN account, disabling 2FA on attacker VPN profile, whitelisting Google Drive on DLP to exfiltrate KYC data, etc.).
- Then there are security teams who would get hurt if you become domain admin, because they get to answer the question - how come we get hacked with all these fancy tools supposedly protecting us? Who likes visiting principal’s office, ever?
You need to get customer requirements clear. Are they ‘ok’ if you become a domain admin?
At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.
Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r
