Living off the posture¶

Bringing no tools, and turning the target’s own trusted policies, automation, and native utilities against it. Living off the land, scaled from the single host to the institution: where the tactical version abuses a built-in binary to avoid dropping malware (see evasion), the strategic version abuses a policy, a mandate, or a maintenance window, and lets a compliant, heavily automated bureaucracy do the work. Two postures.

The defensive squeeze¶

A genuine, properly signed policy change, tightened past the point of function. Turn the approvals, the audits, and the controls up far enough and an organisation locks itself down, its own risk-aversion used against it. The harm is paralysis, and it is hard to call an attack because every part of it is legitimate: a real change, a valid key, an automated control doing exactly what it was told. Where the change is mirrored across an alliance or a shared platform, the lockdown can spread on its own.

The housekeeping drain¶

A trusted native job, replication or logging or backup, given one more legitimate instruction. A second destination on a sync, a wider scope on a collection, and the organisation’s own resilience mandate carries its data out or runs up its costs while every log stays green. The mechanics sit with living off the cloud; the framing is the point here, that the tool is trusted, the instruction is valid, and the victim pays the bandwidth for its own loss.

Invisible by design¶

Detection built for intrusion finds nothing, because there is no intrusion. Native tools, valid certificates, signed policy, scheduled jobs. The signal, where there is one, sits in the shape rather than the act: a job that ran longer or moved more than its baseline, a destination that was not there last month, a posture that tightened with no change behind it. Each reads as routine administration until someone asks why.