The Evidence Package

The testing window has closed, April 3rd, end of day. TadiSec’s authorized access to DC01 is done. You have a pile of raw findings: Nmap scans, BloodHound output, Kerberoasting results, privilege escalation evidence, and some enumeration output that turned out to be noise.

This is the evidence package, that is, everything you collected during the engagement. It’s messy. It’s not organized by finding. Some of it is critical, some of it is informational, and some of it isn’t even reportable.

Before you can write a report, you need to triage this evidence:

Identify distinct findings. A Kerberoasting result and the subsequent lateral movement might be one finding or two, depending on how you frame it. Group related evidence together.

Separate findings from noise. Not everything you discovered is a reportable finding. An open port that’s expected and documented is noise. A misconfigured GPO that exposes credentials is a finding.

Identify the severity. Which findings have the highest business impact? That determines report priority and presentation order.

Quick personal note here: I keep all my screenshots and evidence in the report template I will be using for that engagement. All my evidence goes under a specific finding. If it doesn’t fit in a specific finding, it goes into the section of the report that details my methodology. One of the things I learned from my manager early on in my career was to, “Start your report on day 1”. Shoutout to KM.

The evidence package on the right is an example of TadiSec’s raw output from the Navigating Security Corp engagement.

Review the evidence package on the right and answer the triage questions. How many findings can you identify? What’s noise?