Whenever you feel like you’ve hit a dead end, always go back to your reconnaissance results. Somewhere in the midst of those heaps of data, you will find something to kick-start your creativity once again.

We’ve already gotten our hands on plenty of information, but at great cost. We need to be more careful this time, lest we get kicked out of the network once more. We know ATA and QRadar are watching. When dealing with ATA or any other behavioral analysis tool, it’s best to blend in with regular traffic as much as possible; in this case, that means Windows Active Directory traffic.

Camouflage

All machines in the AD forest ...