Certainly!
Notice the part that says "slows blue team detection."
Imagine that you have been hired as a penetration tester by some big company. This company not only wants to know if their systems can be compromised, but if their systems CAN be compromised, they also want to test the effectiveness of their incident response team. In your pentest, your goal is to get to their internal file server, but you have only managed to gain access to a rogue mail server set up by a lazy employee. You plan to use the mailserver to pivot into the file server, but you want to make sure that their IR team doesnt notice you using the system. Once you gain access to the file server, maybe you dont want them knowing that you you were attacking from the mail server. Ideally, you cover your tracks after every compromise, and before you leave the system. Then the IR team will never have an opportunity to even know they have been attacked. If the attack is detected, the goal is for forensics to not be able to build a timeline of the attack.
You are viewing a single comment's thread from: