Why should a tester review code found on a compromised machine, such as scripts used by the sysadmin?

When you’re assessing a compromised machine, the first priority is to uncover credentials and access paths the attacker may have left behind in the code. Scripts used by the sysadmin are a common place for attackers to hide hard-coded passwords, API keys, or tokens that grant immediate access or persistence. Finding these credentials allows you to understand how the attacker moved in, what they could still access, and what to rotate or revoke to contain the breach. Hard-coded credentials in scripts are the best answer because they directly represent actionable access points an attacker could reuse after initial compromise. The other options are less relevant to post-compromise risk: license keys aren’t typically the primary security concern in this context; reviewing hardware compatibility or updating firmware doesn’t address the attacker’s footholds on the compromised host.