Reacting to a new technique with 'well of course it works, they had admin' may indicate you don't fully appreciate the attacker mindset.

The attacker goal is not just to run code, but often to keep it running without you noticing for as long as possible-'borrowed' trust helps.

If you are using a trusted tool or a troubleshooting tool to execute your code, you can inherit the 'reputation' of that process.

Inherited reputation not only helps with avoiding automated detection like antivirus, it helps confuse overwhelmed IT practitioners.

When someone working an IR has tens of thousands of boxes to triage, things get filtered out-often signed binaries and anything they ran.

IR tools also have limitations, such as truncating characters on additional parameters passed to a process or task, attackers know this.

Attackers also know which tools might get USED during an IR, and being able to embed a canary/off switch in those trusted tools is valuable.

Telling the post exploit/malware implant story is not an easy task, as in many environments it can just become a mass of 'seems legit.'

When the attacker can borrow normal behaviors or tools to move laterally and access data, the IR storytelling task becomes much harder.

Finding C2/malware can be an easy task compared to finding which login type 4 used by a service account that does that all day was bad.

But the post malware story is the story that will probably matter the most the attacked-what data was accessed? What is my liability?

If the attacker can use 'known good' tools/binaries/processes/accounts to do badness,you may never get the answer about what their goal was.

Not getting answers about what was the goal, or even delaying those answers, means that an attacker can have more time to be successful.

Attackers are ahead of the game in thinking about the IT environment. Ask yourself, what is a process that will be on every box as system?

Attackers will probably research management tools and such and how they logon, what privileges they have-most networks have commonalities.

This isn't theoretical, there are actual attackers that just rely on the fact they know _ is running at all the companies that do _ .

Malware is shiny and interesting, but an internet facing non-MFA entrance point with minimal logging is just as useful to an attacker.

Attackers have no shame in using boring stuff to get their goal done-even if it's just using a common troubleshooting tool to persist.

When someone shares a technique, practice it and look at the signatures it leaves. Does it blend in with 'normal' in your environment?

Most IRs are week/month long engagement, learning 'normal' is nearly impossible in that time frame-prep now, and make it iterative.

Solving for Attacker X does not mean solving for Attacker Y and Attacker Y probably follows @subTee just like you do. Plan ahead.