|
|
|
|
|
|
by flexorium
821 days ago
|
|
|
In the audit log of the organization you can see an event, but by that time you have lost visibility into what the attacker really executed. So a malicious tag payload (stage 1) will still remain in events, but Stage 2 will be lost completely (only the fact that log was deleted) and that would not leak any what really was executed with like `curl | bash` could be silent Most likely the end goal is to backdoor the final artifacts, so one could diff, I guess. |
|
|