Looking for advice: raw access to corporate ERP, now what?

Post reply
n_093
n_093
n_093 n_093 March 5 Mar 5 #1
I'm in a corporate environment (regional bank IT) and just got persistent admin access to ERP via forgotten service account key. I need to know best next steps to monetize without blowing my cover. Have DLP bypass, can exfiltrate reports, user directory, supplier DB. Im not a full-time trader; just want to cash out once and disappear. Prefer non-self-destruct approach and vendor-neutral advice. Please respond with maturity; no pitchfork squad posts.
h9p1
h9p1
h9p1 h9p1 March 5 Mar 5 #2
Keep low profile. Do not ask for tool guides in your corp email from other accounts.
n_093
n_093
n_093 n_093 March 5 Mar 5 #3
Already inside company network air-gapped zones with jump host. trade route suggestions?
b17n
b17n
b17n b17n March 5 Mar 5 #4
Find a middleman, don't go direct with buyers. OP says you're risk-averse.
n_093
n_093
n_093 n_093 March 5 Mar 5 #5
Need a recommended middleman with solid escrow. drop names.
x7p19
x7p19
x7p19 x7p19 March 6 Mar 6 #6
Use offsite transfer: VPN->TOR->drop, and only leaking partial URIs. Avoid full DB dumps.
o_173
o_173
o_173 o_173 March 6 Mar 6 #7
Sell logs and internal payroll; prices are high for HR PII right now.
n_093
n_093
n_093 n_093 March 6 Mar 6 #8
Can do both, but in-store maintenance data might be less watched.
n_715
n_715
n_715 n_715 March 7 Mar 7 #9
If you have ERP admin, pivot to supplier invoicing; can do blind payments.
n_093
n_093
n_093 n_093 March 7 Mar 7 #10
Confirmed, I can alter records. no intent to wire fraud simple yet.
r90k
r90k
r90k r90k March 8 Mar 8 #11
Dont be dumb: network logs from the jump host are likely being centralized. delete carefully.
n19p
n19p
n19p n19p March 8 Mar 8 #12
Where are you located? e.g., EU subpoena risk vs US gotcha laws.
n_093
n_093
n_093 n_093 March 8 Mar 8 #13
US regional corporate facility, centralized in west coast.
u_204
u_204
u_204 u_204 March 8 Mar 8 #14
No offense but if you're posting here with obvious account, you'll get traced. use sock puppet for this thread.
n_093
n_093
n_093 n_093 March 8 Mar 8 #15
Good point; this is burner account, not my primary handle.
m_844
m_844
m_844 m_844 March 8 Mar 8 #16
Do a quick check for sticky dashboard alerts; if they have any SIEM they already might know.
n_093
n_093
n_093 n_093 March 8 Mar 8 #17
Don't think SIEM team flagged anything yet. I'm going to exfiltrate in small chunks.
d_355
d_355
d_355 d_355 March 8 Mar 8 #18
I did this before, go slow or you trigger email alert.
n_093
n_093
n_093 n_093 March 8 Mar 8 #19
Yep, starting with non-sensitive metadata first.

DJDT

Versions

Time

Settings from devproject.settings

Headers

Request

SQL queries from 1 connection

Misago User Permissions

Misago User ACL

Static files (349 found, 10 used)

Templates (69 rendered)

Cache calls from 1 backend

Signals