When we think about red teaming, most of the time the focus is on evading detection i.e. hiding from endpoint detection and response (EDR) tools, bypassing defenses, and staying off the radar. But what if we flipped that around? Instead of hiding, what if we actively fed EDR tools benign telemetry to blend in and mislead them? The idea is to use deception to make malicious activity appear normal in the eyes of the defender.

EDRs rely on a combination of signatures, heuristics, and behavioral baselines to decide whether a process is suspicious. These tools monitor how long processes run, how often they execute, what they touch on the file system, how they interact with memory, and how they connect to the network. Over time, they form a baseline of what "normal" looks like in an environment. Red team operators can take advantage of this.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Imagine you're running a C2 implant that occasionally sends back beacons. Instead of trying to hide every move, you could program the implant to behave like a known, trusted application. For example, it could mimic the same patterns as Microsoft Edge or a scheduled updater like Google Chrome. It could send requests at the same intervals, with the same user agent, and even access similar domains to "warm up" the EDR with safe behavior. Over time, this activity may start to look benign, making future actions less likely to trigger alerts.

Another angle is to pad malicious tools with legitimate-looking behavior. Let’s say you're using a custom data exfiltration tool. You could design it to also perform harmless-looking actions—like regularly reading a log file, accessing non-sensitive documents, or sleeping for long periods. These side behaviors can help dilute the suspicious ones and make the overall process appear routine. In short, you’re manipulating the signal-to-noise ratio in your favor.

This tactic is especially powerful in long-term engagements, where you're living in the environment for days or weeks. If your tool constantly exhibits low-risk behavior while only occasionally doing something sensitive, there's a good chance that EDR may allow it to fly under the radar—especially in large environments where analysts rely heavily on automated scoring and prioritization.

You can even go further and introduce harmless "decoy" tools that do nothing but produce clean telemetry—simply to confuse and condition the EDR further. These tools could act like internal tools or update checkers, constantly running and behaving well, so that defenders start to ignore activity from those process names or paths.

Of course, this tactic comes with challenges. It requires a good understanding of how EDRs score behavior, and it works best in environments that rely heavily on automation or where analysts don’t investigate deeply. But as red teams face more mature security setups, techniques like this can offer an edge.

Red Team Notes
 - Feeding EDRs with consistent, clean telemetry helps you build trust, reduce suspicion, and operate under the radar in plain sight.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.