This doesn’t feel right. You message your team and say you recommend pausing the engagement and informing the RisottoCorp trusted agent about the web shell.
“We’re going to lose tempo because of this,” says one of your team members.
“That’s ok. We’re losing tempo for the right reason,” responds your team lead. She has your back on this one.
You draft an email to the trusted agent and CC the IT lead that details your findings. You give time stamped screenshots of the web shell and logs that correlate your directory brute force to the time of discovery.
You explain that this is evidence of a prior compromise and you recommended that the engagement be put on pause until you reported the finding.
The trusted agent responds with shock, but also appreciation.
“Wow, that looks bad. We had no idea. Thank you so much for bringing this to our attention. I informed the IT team to isolate that container and examine the logs. They found something that looks like it indicates how the adversary was able to compromise the site:
I’ve informed the Incident Response team and they’ve opened an investigation.
For now, let’s take the Wordpress site out of the engagement scope until we get more information. But please feel free to continue with the engagement.”
What an excellent find! Sure, the Wordpress site is no longer serviceable as an initial access vector, but that’s for the best.
Your team lead congratulates you on the find and thanks you for your professionalism in how you handled the situation. Now, let’s continue with the engagement!
What do you do?