The big thing that I found from my research on this tooling was the ease with which an attacker could a) learn things about a target environment, particularly by enabling RDP and accessing a device directly without generating any red flags and b) more importantly, being able to exfiltrated data over SMB that would appear to be local activity.
Sure, flow data would eventually show the outbound transfer rates suggestive of data exfiltration, but without any other correlative alerts, it's likely to get through before defenders have a chance to respond.
The big thing that I found from my research on this tooling was the ease with which an attacker could a) learn things about a target environment, particularly by enabling RDP and accessing a device directly without generating any red flags and b) more importantly, being able to exfiltrated data over SMB that would appear to be local activity.
Sure, flow data would eventually show the outbound transfer rates suggestive of data exfiltration, but without any other correlative alerts, it's likely to get through before defenders have a chance to respond.