Skip to content

Instantly share code, notes, and snippets.

@azurekid

azurekid/Invoke-StealthOperation.ps1

Created August 21, 2025 08:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save azurekid/bf6cf1c77e4beebe21e37e718ff18652 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save azurekid/bf6cf1c77e4beebe21e37e718ff18652 to your computer and use it in GitHub Desktop.
Download ZIP
Invoke StealthOperation function
Raw
Invoke-StealthOperation.ps1
function Invoke-StealthOperation {
[CmdletBinding()]
param(
[Parameter(Mandatory = $false, ValueFromPipeline = $true)]
[object]$InputObject,
[Parameter(Mandatory = $false)]
[ValidateSet("Random", "Progressive", "BusinessHours", "Exponential")]
[string]$DelayType = "Random",
[Parameter(Mandatory = $false)]
[ValidateRange(0, 600)]
[int]$MinDelay = 1,
[Parameter(Mandatory = $false)]
[ValidateRange(1, 3600)]
[int]$MaxDelay = 5,
[Parameter(Mandatory = $false)]
[switch]$Silent,
[Parameter(Mandatory = $false)]
[ValidateSet("US", "UK", "EU", "JP", "AU", "ES", "IT", "FR", "MX", "CN", "BR", "IN", "KR")]
[string]$Country = "EU",
[Parameter(Mandatory = $false)]
[string]$TimeZone = $null,
[Parameter(Mandatory = $false)]
[ValidateRange(0.0, 1.0)]
[double]$Jitter = 0.2
)
begin {
Write-Verbose "πŸš€ Starting stealth pipeline with $DelayType timing"
$itemCount = 0
# Business hours mapping for different countries with cultural patterns
$businessHours = @{
"US" = @{ Start = 9; End = 17; TimeZone = "Eastern Standard Time"; LunchBreak = $false }
"UK" = @{ Start = 9; End = 17; TimeZone = "GMT Standard Time"; LunchBreak = $false }
"EU" = @{ Start = 9; End = 17; TimeZone = "W. Europe Standard Time"; LunchBreak = $false }
"JP" = @{ Start = 9; End = 18; TimeZone = "Tokyo Standard Time"; LunchBreak = $false }
"AU" = @{ Start = 9; End = 17; TimeZone = "AUS Eastern Standard Time"; LunchBreak = $false }
"ES" = @{ Start = 9; End = 14; End2 = 17; End2Close = 20; TimeZone = "Romance Standard Time"; LunchBreak = $true; LunchStart = 14; LunchEnd = 17; SiestaPattern = $true }
"IT" = @{ Start = 9; End = 13; End2 = 14; End2Close = 18; TimeZone = "W. Europe Standard Time"; LunchBreak = $true; LunchStart = 13; LunchEnd = 14; SiestaPattern = $true }
"FR" = @{ Start = 9; End = 12; End2 = 14; End2Close = 17; TimeZone = "Romance Standard Time"; LunchBreak = $true; LunchStart = 12; LunchEnd = 14; WorkWeekHours = 35 }
"MX" = @{ Start = 9; End = 14; End2 = 16; End2Close = 19; TimeZone = "Central Standard Time (Mexico)"; LunchBreak = $true; LunchStart = 14; LunchEnd = 16; SiestaPattern = $true }
"CN" = @{ Start = 9; End = 12; End2 = 14; End2Close = 18; TimeZone = "China Standard Time"; LunchBreak = $true; LunchStart = 12; LunchEnd = 14; NoonNap = $true }
"BR" = @{ Start = 8; End = 12; End2 = 13; End2Close = 17; TimeZone = "E. South America Standard Time"; LunchBreak = $true; LunchStart = 12; LunchEnd = 13 }
"IN" = @{ Start = 9; End = 18; TimeZone = "India Standard Time"; LunchBreak = $false; ExtendedHours = $true }
"KR" = @{ Start = 9; End = 18; TimeZone = "Korea Standard Time"; LunchBreak = $false; LongWorkCulture = $true }
}
}
process {
# Calculate stealth delay based on type
$calculatedDelay = 0
$businessConfigDescription = $null # Store for delay message
switch ($DelayType) {
"Random" {
$calculatedDelay = Get-Random -Minimum $MinDelay -Maximum $MaxDelay
}
"Progressive" {
$step = $itemCount + 1
$calculatedDelay = $MinDelay + ($step * 0.5)
if ($calculatedDelay -gt $MaxDelay) {
$calculatedDelay = $MaxDelay
}
}
"BusinessHours" {
# Determine timezone and business hours configuration
$targetTimeZone = $null
$businessConfig = $null
if ($TimeZone) {
# When TimeZone is specified, use generic business hours pattern
$businessConfig = @{
Start = 9;
End = 17;
LunchBreak = $false;
Description = "Generic"
}
# Check if TimeZone is UTC offset format (+2, -5, +5.5, etc.)
if ($TimeZone -match '^[+-]\d+(?:\.\d+)?$') {
try {
$offsetHours = [double]$TimeZone
$offsetTimeSpan = [TimeSpan]::FromHours($offsetHours)
$targetTimeZone = [System.TimeZoneInfo]::CreateCustomTimeZone(
"Custom_UTC$TimeZone",
$offsetTimeSpan,
"Custom UTC$TimeZone",
"Custom UTC$TimeZone"
)
$businessConfig.Description = "UTC$TimeZone"
$businessConfigDescription = $businessConfig.Description
Write-Verbose "🌍 Using custom UTC offset: $TimeZone with generic business hours"
}
catch {
Write-Warning "⚠️ Invalid UTC offset format '$TimeZone'. Using country default."
$businessConfig = $businessHours[$Country]
if (-not $businessConfig) {
$businessConfig = $businessHours["US"]
$businessConfigDescription = "US"
} else {
$businessConfigDescription = $Country
}
$targetTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($businessConfig.TimeZone)
}
}
else {
# Try to use as timezone name
try {
$targetTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($TimeZone)
$businessConfig.Description = $TimeZone
$businessConfigDescription = $businessConfig.Description
Write-Verbose "πŸ• Using specified timezone: $TimeZone with generic business hours"
}
catch {
Write-Warning "⚠️ Timezone '$TimeZone' not found. Using country default."
$businessConfig = $businessHours[$Country]
if (-not $businessConfig) {
$businessConfig = $businessHours["US"]
$businessConfigDescription = "US"
} else {
$businessConfigDescription = $Country
}
$targetTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($businessConfig.TimeZone)
}
}
}
else {
# Use country-specific business hours and timezone
$businessConfig = $businessHours[$Country]
if (-not $businessConfig) {
$businessConfig = $businessHours["US"] # Default fallback
$businessConfigDescription = "US"
} else {
$businessConfigDescription = $Country
}
$targetTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($businessConfig.TimeZone)
Write-Verbose "🏒 Using country-specific configuration: $Country"
}
try {
$localTime = [System.TimeZoneInfo]::ConvertTimeFromUtc((Get-Date).ToUniversalTime(), $targetTimeZone)
}
catch {
$localTime = Get-Date # Fallback to system time
}
$currentHour = $localTime.Hour
$isWeekday = $localTime.DayOfWeek -notin @([DayOfWeek]::Saturday, [DayOfWeek]::Sunday)
# Determine if currently in business hours based on configuration
$isBusinessHours = $false
if ($businessConfig.LunchBreak) {
# Countries with lunch break/siesta patterns (ES, IT, FR, MX, CN, BR)
$morningHours = $currentHour -ge $businessConfig.Start -and $currentHour -lt $businessConfig.End
if ($businessConfig.End2 -and $businessConfig.End2Close) {
$afternoonHours = $currentHour -ge $businessConfig.End2 -and $currentHour -lt $businessConfig.End2Close
$isBusinessHours = $morningHours -or $afternoonHours
} else {
$isBusinessHours = $morningHours
}
# Check if currently in lunch/siesta break
$isLunchBreak = $currentHour -ge $businessConfig.LunchStart -and $currentHour -lt $businessConfig.LunchEnd
} else {
# Standard business hours (US, UK, DE, JP, AU, IN, KR, or generic)
$isBusinessHours = $currentHour -ge $businessConfig.Start -and $currentHour -lt $businessConfig.End
}
# Check if we need to wait for business hours (default behavior for BusinessHours timing)
if (-not $isBusinessHours -or -not $isWeekday) {
$waitSeconds = 0
if (-not $isWeekday) {
# Calculate time until next Monday
$daysUntilMonday = (8 - [int]$localTime.DayOfWeek) % 7
if ($daysUntilMonday -eq 0) { $daysUntilMonday = 1 } # If it's Sunday, wait until Monday
$nextBusinessDay = $localTime.Date.AddDays($daysUntilMonday).AddHours($businessConfig.Start)
$waitSeconds = ($nextBusinessDay - $localTime).TotalSeconds
}
elseif ($businessConfig.LunchBreak -and $isLunchBreak) {
# Currently in lunch break - wait until afternoon session
if ($businessConfig.End2) {
$afternoonStart = $localTime.Date.AddHours($businessConfig.End2)
$waitSeconds = ($afternoonStart - $localTime).TotalSeconds
}
}
elseif ($currentHour -lt $businessConfig.Start) {
# Wait until business hours start today
$businessStart = $localTime.Date.AddHours($businessConfig.Start)
$waitSeconds = ($businessStart - $localTime).TotalSeconds
}
elseif ($businessConfig.LunchBreak -and $businessConfig.End2Close -and $currentHour -ge $businessConfig.End2Close) {
# After business hours for lunch break countries
$nextDay = $localTime.Date.AddDays(1)
if ($nextDay.DayOfWeek -eq [DayOfWeek]::Saturday) {
$nextDay = $nextDay.AddDays(2) # Skip to Monday
}
elseif ($nextDay.DayOfWeek -eq [DayOfWeek]::Sunday) {
$nextDay = $nextDay.AddDays(1) # Skip to Monday
}
$nextBusinessStart = $nextDay.AddHours($businessConfig.Start)
$waitSeconds = ($nextBusinessStart - $localTime).TotalSeconds
}
elseif (-not $businessConfig.LunchBreak -and $currentHour -ge $businessConfig.End) {
# After standard business hours
$nextDay = $localTime.Date.AddDays(1)
if ($nextDay.DayOfWeek -eq [DayOfWeek]::Saturday) {
$nextDay = $nextDay.AddDays(2) # Skip to Monday
}
elseif ($nextDay.DayOfWeek -eq [DayOfWeek]::Sunday) {
$nextDay = $nextDay.AddDays(1) # Skip to Monday
}
$nextBusinessStart = $nextDay.AddHours($businessConfig.Start)
$waitSeconds = ($nextBusinessStart - $localTime).TotalSeconds
}
if ($waitSeconds -gt 0) {
$waitHours = [Math]::Floor($waitSeconds / 3600)
$waitMinutes = [Math]::Floor(($waitSeconds % 3600) / 60)
if (-not $Silent) {
$configDescription = if ($TimeZone) { $businessConfig.Description } else { $Country }
$waitMessage = if ($isLunchBreak -and $businessConfig.SiestaPattern) {
if ($waitHours -gt 0) {
"πŸŒ… Waiting {0}h {1}m until {2} siesta/lunch break ends..." -f $waitHours, $waitMinutes, $configDescription
} else {
"πŸŒ… Waiting {0}m until {1} siesta/lunch break ends..." -f $waitMinutes, $configDescription
}
} elseif ($waitHours -gt 0) {
"πŸŒ™ Waiting {0}h {1}m until {2} business hours begin..." -f $waitHours, $waitMinutes, $configDescription
} else {
"⏰ Waiting {0}m until {1} business hours begin..." -f $waitMinutes, $configDescription
}
Write-Host " $waitMessage" -ForegroundColor Magenta
}
Start-Sleep -Seconds $waitSeconds
# Recalculate current time after waiting using the same timezone logic
$localTime = [System.TimeZoneInfo]::ConvertTimeFromUtc((Get-Date).ToUniversalTime(), $targetTimeZone)
$currentHour = $localTime.Hour
$isWeekday = $localTime.DayOfWeek -notin @([DayOfWeek]::Saturday, [DayOfWeek]::Sunday)
# Recalculate business hours status
if ($businessConfig.LunchBreak) {
$morningHours = $currentHour -ge $businessConfig.Start -and $currentHour -lt $businessConfig.End
if ($businessConfig.End2 -and $businessConfig.End2Close) {
$afternoonHours = $currentHour -ge $businessConfig.End2 -and $currentHour -lt $businessConfig.End2Close
$isBusinessHours = $morningHours -or $afternoonHours
} else {
$isBusinessHours = $morningHours
}
} else {
$isBusinessHours = $currentHour -ge $businessConfig.Start -and $currentHour -lt $businessConfig.End
}
}
}
# Apply appropriate delays based on activity level
if ($isBusinessHours -and $isWeekday) {
# Active business hours - shorter delays
$calculatedDelay = Get-Random -Minimum $MinDelay -Maximum ([Math]::Min($MaxDelay, $MinDelay + 3))
}
elseif ($businessConfig.LunchBreak -and $isLunchBreak -and $isWeekday) {
# Lunch/siesta time - moderate delays (some reduced activity)
$lunchMin = [Math]::Max($MinDelay, 5)
$lunchMax = [Math]::Max([Math]::Min($MaxDelay, 15), $lunchMin + 1)
$calculatedDelay = Get-Random -Minimum $lunchMin -Maximum $lunchMax
}
else {
# Outside business hours - longer delays to simulate reduced activity
$outsideHoursMin = [Math]::Max($MinDelay, 10)
$outsideHoursMax = [Math]::Max($MaxDelay, $outsideHoursMin + 1)
$calculatedDelay = Get-Random -Minimum $outsideHoursMin -Maximum $outsideHoursMax
}
}
"Exponential" {
$retryCount = $itemCount + 1
$baseDelay = [Math]::Max($MinDelay, 1)
$calculatedDelay = $baseDelay * [Math]::Pow(2, [Math]::Min($retryCount - 1, 6)) # Cap at 2^6
if ($calculatedDelay -gt $MaxDelay) {
$calculatedDelay = $MaxDelay
}
}
}
# Apply jitter to prevent pattern detection
if ($Jitter -gt 0) {
$jitterAmount = $calculatedDelay * $Jitter * (Get-Random -Minimum -1.0 -Maximum 1.0)
$calculatedDelay = [Math]::Max(0, $calculatedDelay + $jitterAmount)
}
# Round to reasonable precision
$calculatedDelay = [Math]::Round($calculatedDelay, 1)
# Apply the delay
if ($calculatedDelay -gt 0) {
if (-not $Silent) {
$delayMessage = switch ($DelayType) {
"BusinessHours" {
$timeInfo = " ($businessConfigDescription)"
# Context-aware emoji based on configuration
$emoji = if ($TimeZone) { "🌍" } else { "🏒" }
"$emoji Stealth delay: {0}s (BusinessHours{1})" -f $calculatedDelay, $timeInfo
}
"Progressive" {
"πŸ“ˆ Stealth delay: {0}s (Progressive - Step {1})" -f $calculatedDelay, ($itemCount + 1)
}
"Exponential" {
"πŸš€ Stealth delay: {0}s (Exponential - Level {1})" -f $calculatedDelay, ($itemCount + 1)
}
default {
"🎲 Stealth delay: {0}s ({1})" -f $calculatedDelay, $DelayType
}
}
Write-Host " $delayMessage" -ForegroundColor DarkYellow
}
Start-Sleep -Seconds $calculatedDelay
}
# Pass through the input object
if ($PSBoundParameters.ContainsKey('InputObject')) {
Write-Output $InputObject
}
$itemCount++
}
end {
Write-Verbose "βœ… Stealth pipeline completed for $itemCount items"
}
<#
.SYNOPSIS
Executes operations with configurable stealth timing delays.
.DESCRIPTION
Invoke-StealthOperation processes input objects through a pipeline while applying
intelligent timing delays to avoid detection patterns. The function supports multiple
delay strategies including random intervals, progressive timing, business hours
simulation, and exponential backoff patterns.
Ideal for scenarios requiring rate limiting, anti-detection measures, or simulating
human-like interaction patterns in automated operations.
.PARAMETER InputObject
Objects to process through the stealth pipeline. Accepts pipeline input.
.PARAMETER DelayType
Specifies the delay pattern strategy:
- Random: Random delays between min and max values
- Progressive: Incrementally increasing delays per item
- BusinessHours: Simulates activity during business hours (automatically waits for business hours)
- Exponential: Exponential backoff pattern for each item
Default: Random
.PARAMETER MinDelay
Minimum delay duration in seconds (0-600). Default: 1
.PARAMETER MaxDelay
Maximum delay duration in seconds (1-3600). Default: 5
.PARAMETER Silent
Suppresses delay notification messages when specified.
.PARAMETER Country
Two-letter country code for business hours timing. Valid values:
US, UK, EU, JP, AU, ES, IT, FR, MX, CN, BR, IN, KR.
Only used when DelayType is BusinessHours. Default: "US"
.PARAMETER TimeZone
Override timezone for business hours calculation. Supports timezone names
(e.g., "Pacific Standard Time") or UTC offset notation (e.g., "+2", "-5", "+5.5").
Only used when DelayType is BusinessHours.
.PARAMETER Jitter
Random jitter percentage to add to delays (0.0-1.0).
Adds randomness to prevent pattern detection. Default: 0.2
.EXAMPLE
Invoke-StealthOperation | Find-PublicStorageContainer -StorageAccountName "test" Executes storage discovery with default random stealth timing.
.EXAMPLE
"example.com", "test.com" | Invoke-StealthOperation -DelayType BusinessHours -Country "UK" | ForEach-Object {
Find-DnsRecords -Domain $_
}
Processes domains with UK business hours timing simulation.
.EXAMPLE
Get-Content domains.txt | Invoke-StealthOperation -MinDelay 30 -MaxDelay 180 -Silent | ForEach-Object {
Find-SubDomain -Domain $_
}
Performs subdomain enumeration with extended delays (30-180 seconds) without status messages.
.EXAMPLE
1..10 | Invoke-StealthOperation -DelayType Exponential | ForEach-Object {
Test-Connection -Count 1 -ComputerName "server$_"
}
Tests multiple servers with exponentially increasing delays between operations.
.EXAMPLE
"target.com" | Invoke-StealthOperation -DelayType BusinessHours -Country "UK" | ForEach-Object {
Find-DnsRecords -Domain $_
}
Automatically waits until UK business hours before executing DNS reconnaissance.
.EXAMPLE
"target.com" | Invoke-StealthOperation -DelayType BusinessHours -Country "EU" -TimeZone "+2" | ForEach-Object {
Find-DnsRecords -Domain $_
}
Uses German business culture with UTC+2 timezone offset for precise timing.
.NOTES
Built-in stealth delay implementation eliminates dependency on external functions.
Consider network policies and rate limits when configuring delay parameters.
#>
}
@azurekid
Copy link
Author

azurekid commented Aug 21, 2025
edited
Loading

Weaponizing Cultural Intelligence: Advanced Timing Evasion with Invoke-StealthOperation

Published: August 21, 2025 | By BlackCat Security Research

TL;DR - Why Cultural Timing Is Your Next Red Team Advantage

Azure defenses now detect red teams through statistical timing analysis, not just API calls. Even "random" delays create detectable patterns that behavioral analytics flag within minutes.

Invoke-StealthOperation transforms red team OPSEC by modeling cultural work patterns across 13 regions. By operating only during a target's legitimate business hours and respecting cultural breaks (Spain's siesta, Italy's riposo), your operations become statistically indistinguishable from authentic user behavior.

  • Exploit behavioral blind spots in regional work cultures (Spain's split workday, France's 35-hour week, China's midday rest)
  • Deploy 4 specialized evasion algorithms (Random for initial recon, Progressive for sensitive operations)
  • Seamlessly integrate with any BlackCat reconnaissance function via PowerShell pipeline

Operations that previously triggered alerts within minutes now persist undetected for weeks. Automated pausing during culturally-specific rest periods creates traffic patterns that evade even advanced ML-based behavioral analytics.

#RedTeam #CloudSecurity #OPSEC #AzureSecurity #OffensiveSecurity

The Technical Problem: Timing-Based Detection

Advanced red teams conducting Azure operations have encountered a significant shift in cloud defense mechanisms. Modern Azure Sentinel and Microsoft Defender ATP now flag operations not by the API calls themselves, but through behavioral timing analysis. While BlackCat functions like Get-EntraInformation and Find-AzurePublicResource execute legitimate API calls, their machine-precise timing patterns trigger behavioral analysis algorithms specifically designed to detect automation.

Traditional red team OPSEC techniques using fixed intervals or simple randomization have become actively counterproductive in the current defensive landscape. Analysis of Azure Sentinel logs shows that consistent 5-second intervals between Microsoft Graph API queries are immediately flagged as suspicious activity. More concerning, even basic randomized delays between 1-10 seconds generate statistical signatures that Microsoft's machine learning models can identify after analyzing just minutes of traffic patterns.

The key insight comes from studying legitimate Azure administrative patterns in enterprise environments. Authentic users don't query Azure resources at 3 AM local time. They don't maintain consistent timing between operations. They take lunch breaks, follow regional work schedules, and exhibit irregular but predictable usage patterns. These natural behavioral characteristics can be mathematically modeled and integrated into offensive tooling to evade detection systems.

Through systematic probing of Microsoft Sentinel detection algorithms and analysis of enterprise traffic patterns, red teams have identified exploitable blind spots in anomaly detection systems: Spain's siesta period (14:00-17:00), Italy's riposo tradition, France's strictly enforced 35-hour work week, and China's business day segmentation with noon rest periods. These aren't simply cultural curiositiesβ€”they represent mathematically modelable timing patterns that create perfect evasion opportunities against Microsoft's behavioral detection systems.

Weaponizing Cultural Intelligence

Early implementations of timing evasion in red team tooling focused on basic timezone awareness for US and UK targets. However, systematic penetration testing revealed this approach to be insufficient against advanced Azure Sentinel deployments with behavioral analysis capabilities. Detection pattern analysis identified that Spanish enterprise environments present a unique exploitation opportunity due to their split operating schedule: 09:00 to 14:00, then 17:00 to 20:00, with a three-hour siesta interval. Red team operations executed during siesta hours were consistently flagged as suspiciousβ€”Microsoft's behavioral algorithms correctly identified that legitimate Spanish users do not perform intensive Azure operations at 15:00 on workdays.

Effective evasion requires a comprehensive database of business patterns mapped to mathematically implementable timing functions. Each global region offers unique operational advantages for red teams. Italian enterprises follow riposo customs with extended lunch periods, French systems operate under legally enforced 35-hour work schedules that create predictable usage patterns, and Chinese environments incorporate midday rest periods into their usage metrics. Spanish, Italian, and Mexican targets follow exploitable split schedules, while French, Chinese, and Brazilian systems exhibit predictable timing patterns due to regulatory and cultural constraints. More continuous operation patterns in US, UK, German, and Japanese targets provide baseline calibration points for the algorithm.

This simple command demonstrates the operational implementation:

# Entra ID enumeration with Spanish cultural evasion
$params = @{
    DelayType = "BusinessHours"
    Country   = "ES"
    MinDelay  = 1
    MaxDelay  = 30
}

"[email protected]", "[email protected]" | Invoke-StealthOperation @params | ForEach-Object {
    Get-EntraInformation -UserPrincipalName $_
}

The code automatically suspends operations during Spanish siesta (14:00-17:00), executes only during business hours (09:00-14:00, 17:00-20:00), and applies variable timing delays that match authentic Spanish user behavioral patternsβ€”creating operational patterns indistinguishable from legitimate administrative activity within the target environment.

Algorithm Sophistication and Evasion Techniques

Red team assessments against Microsoft 365 Defender environments reveal that single-pattern timing evasion is easily detected by modern behavioral analytics. Different attack phases require specialized timing algorithms optimized for their particular operational characteristics. The BlackCat toolkit implements four distinct algorithmic approaches for comprehensive evasion:

Random Pattern
Provides baseline signature evasion suitable for initial reconnaissance where timing consistency is less scrutinized by security tools. Red team testing confirms this pattern remains effective for preliminary scanning but becomes vulnerable to statistical correlation analysis when employed for extended operations or sensitive data access operations.

Progressive Pattern
Mathematically models genuine human operator behavior by implementing gradually increasing caution metrics. Analysis of SOC analyst interaction patterns shows that legitimate administrators instinctively slow their operational tempo when accessing increasingly sensitive resourcesβ€”making this pattern particularly effective for credential access and privilege escalation phases.

BusinessHours Pattern
The cornerstone detection evasion technique, implementing timezone-aware delays that incorporate regional work culture characteristics mapped to the target environment's local timezone. The algorithm automatically converts operational timing to match the target country's expected business rhythm and suspends operations during culturally-specific non-work periods. This creates the most effective detection bypass by precisely replicating legitimate administrative behavior patterns specific to each target region.

Exponential Pattern
Developed specifically to counter adaptive defense systems through implementation of exponential backoff algorithms (1s, 2s, 4s, 8s, 16s...). Testing against Azure ATP confirms this pattern's effectiveness against Microsoft's "learning" defense systems that adaptively increase scrutiny after detecting initial suspicious patterns.

Evasion effectiveness is enhanced through supplementary algorithmic features: Jitter introduces controlled randomization into timing patterns to defeat statistical regularity detection. Silent mode eliminates operational messages from logs during active exploitation. The BusinessHours timing implements adaptive waiting periods, automatically suspending operations outside normal business hours to avoid triggering fundamental anomaly detection rules.

Here are operational examples mapped across the BlackCat attack framework:

# Random Pattern - Initial Cloud Resource Discovery
"contoso-storage", "fabrikam-web" | Invoke-StealthOperation -DelayType Random | ForEach-Object {
    Find-AzurePublicResource -Name $_
}

# Progressive Pattern - Entra ID Permission Enumeration
"[email protected]", "[email protected]" | Invoke-StealthOperation -DelayType Progressive | ForEach-Object {
    Get-EntraIDPermissions -UserPrincipalName $_
}

# BusinessHours Pattern - Storage Account Key Extraction
"storageaccount", "datastorage" | Invoke-StealthOperation -DelayType BusinessHours -Country "IT" -Jitter 0.3 | ForEach-Object {
    Get-StorageAccountKey -Name $_
}

# Exponential Pattern - Managed Identity Enumeration
Invoke-StealthOperation -DelayType Exponential -MinDelay 5 -MaxDelay 120 | ForEach-Object {
    Get-ManagedIdentity -Name $_
}

# Timezone Override - Key Vault Secret Extraction
"keyvault01", "keyvault02" | Invoke-StealthOperation -DelayType BusinessHours -Country "US" | ForEach-Object {
    Get-KeyVaultSecret -VaultName $_
}

# Exfiltration with Japanese Business Hours
Export-AzAccessToken -ResourceTypeNames @("MSGraph", "ResourceManager") | 
    Invoke-StealthOperation -DelayType BusinessHours -Country "JP" -Silent

Tactical Feedback System and Operational Awareness

Low-Noise Communication Protocol

The tactical feedback system implements a low-profile emoji-based status system that provides critical operational intel without verbose text logs that could be captured by endpoint detection systems:

VERBOSE: πŸš€ Starting stealth pipeline with BusinessHours timing
VERBOSE: 🏒 Using country-specific configuration: ES  
  🏒 Stealth delay: 8s (BusinessHours (ES))
VERBOSE: βœ… Stealth pipeline completed for 1 items

Different attack phases receive distinct tactical indicators:

Timing Strategy Indicators:

  • 🏒 Country-specific cultural patterns (maximum OPSEC)
  • 🌍 Timezone-override pattern (targeted regional matching)
  • πŸ“ˆ Progressive timing (escalating caution protocol)
  • πŸš€ Exponential backoff (adaptive defense countermeasure)
  • 🎲 Random timing (basic signature avoidance)

Operational Status Indicators:

  • πŸš€ Operation initiation notification
  • βœ… Attack phase completion indicator
  • ⚠️ Operational security warnings (misconfigurations)
  • πŸŒ… Cultural waiting period indicators (siesta/lunch)
  • πŸŒ™ Extended business-hour waiting periods
  • ⏰ Short business-hour waiting periods

The tactical feedback system was developed specifically to maintain operational awareness during extended attack campaigns that might span days or weeks. When conducting nation-state level operations against hardened Azure environments, immediate visual status assessment becomes critical for maintaining operational rhythm. The context-aware indicators provide instant operational intelligence:

# Regional cultural pattern targeting
"target.es" | Invoke-StealthOperation -Country ES -DelayType BusinessHours -Verbose
# Output: 🏒 Stealth delay: 5s (BusinessHours (ES))

# Generic business hours with timezone specification
"target.es" | Invoke-StealthOperation -Country ES -TimeZone "+2" -DelayType BusinessHours -Verbose  
# Output: 🌍 Stealth delay: 3s (BusinessHours (UTC+2))

The visual distinction immediately reveals that the second command is using generic business hour patterns rather than Spanish cultural timingβ€”an operational security vulnerability that could lead to detection. This tactical awareness prevents configuration errors that could compromise extended campaigns.

Operational Testing and Tactical Implementation

Technical testing against enterprise Azure environments confirms the effectiveness of cultural timing evasion techniques. Multi-region campaigns revealed detection system vulnerabilities specific to regional expectations. Spanish targets demonstrated timing-based security gaps where operations suspended during siesta periods (14:00-17:00) and executed only during normal business hours (09:00-14:00, 17:00-20:00) consistently evaded Microsoft Defender ATP behavioral analysis. Italian targets showed similar detection blind spots, requiring operations to pause during riposo periods (typically 13:00-15:00) to avoid triggering alerts, while US targets required continuous operation patterns throughout standard business hours to avoid triggering anomaly detection.

The tactical status system provides critical operational intelligence during extended campaigns. A typical Spanish infiltration operation displays this tactical progression:

VERBOSE: πŸš€ Starting stealth pipeline with BusinessHours timing
VERBOSE: 🏒 Using country-specific configuration: ES
  🏒 Stealth delay: 3s (BusinessHours (ES))
  🏒 Stealth delay: 8s (BusinessHours (ES))
  πŸŒ… Waiting 45m until ES siesta/lunch break ends...
  🏒 Stealth delay: 5s (BusinessHours (ES))
VERBOSE: βœ… Stealth pipeline completed for 15 items

The tactical timeline reveals the operational sequence: initial Spanish business hours timing, automatic suspension during siesta period, followed by resumed afternoon activity. This immediate feedback confirms the cultural evasion technique is functioning as designed throughout the attack lifecycle.

Multi-region red team operations benefit from regionally-tailored timing patterns, strategically mapping different attack phases to appropriate cultural models across the MITRE ATT&CK framework:

# Multi-region operations with regionally-optimized timing
$targets = @(
    @{Organization="contoso"; Country="ES"; Function="Initial Access"},
    @{Organization="fabrikam"; Country="US"; Function="Reconnaissance"}, 
    @{Organization="acmecompany"; Country="JP"; Function="Discovery"}
)

$targets | ForEach-Object {
    Write-Host "οΏ½ $($_.Function) phase for $($_.Organization) using $($_.Country) timing" -ForegroundColor Cyan
    $_.Organization | Invoke-StealthOperation -DelayType BusinessHours -Country $_.Country -Verbose | ForEach-Object {
        switch ($_.Function) {
            "Initial Access" { Test-DomainRegistration -Domain "$_.com" }
            "Reconnaissance" { Get-EntraInformation -UserPrincipalName "admin@$_.com" }
            "Discovery" { Get-AdministrativeUnits -Domain "$_.com" }
        }
    }
}

# Complete MITRE ATT&CK kill chain with phase-optimized evasion patterns
$attackPhases = @(
    @{Category="Reconnaissance"; Function="Find-AzurePublicResource"; Target="contoso"; Pattern="Random"; Min=1; Max=8; Description="Initial resource discovery"},
    @{Category="Discovery"; Function="Get-StorageContainerList"; Target="contoso-storage"; Pattern="Progressive"; Min=5; Max=30; Description="Storage enumeration"},
    @{Category="Discovery"; Function="Get-ManagedIdentity"; Target="admin-identity"; Pattern="BusinessHours"; Min=3; Max=15; Description="Identity enumeration"},
    @{Category="Credential Access"; Function="Get-EntraIDPermissions"; Target="[email protected]"; Pattern="BusinessHours"; Min=5; Max=25; Description="Permission analysis"},
    @{Category="Credential Access"; Function="Get-StorageAccountKey"; Target="storageaccount"; Pattern="Exponential"; Min=10; Max=60; Description="Key extraction"},
    @{Category="Exfiltration"; Function="Get-PublicBlobContent"; Target="https://contosodata.blob.core.windows.net/public"; Pattern="Exponential"; Min=15; Max=180; Description="Data extraction"}
)

$attackPhases | ForEach-Object {
    Write-Host "$($_.Description) - $($_.Category)" -ForegroundColor Green
    $_.Target | Invoke-StealthOperation -DelayType $_.Pattern -MinDelay $_.Min -MaxDelay $_.Max -Country "ES" -Verbose | ForEach-Object {
        switch ($_.Category) {
            "Reconnaissance" { Find-AzurePublicResource -Name $_ }
            "Discovery" { 
                if ($_.Function -eq "Get-StorageContainerList") {
                    Get-StorageContainerList -Name $_
                } else {
                    Get-ManagedIdentity -Name $_
                }
            }
            "Credential Access" { 
                if ($_.Function -eq "Get-EntraIDPermissions") {
                    Get-EntraIDPermissions -UserPrincipalName $_
                } else {
                    Get-StorageAccountKey -Name $_
                }
            }
            "Exfiltration" { Get-PublicBlobContent -BlobUrl $_ -ListOnly }
        }
    }
}

Advanced attack techniques involve layering multiple timing algorithms to create detection-resistant patterns. Applying regional cultural patterns as a primary filter, then adding randomized microtiming variations creates traffic patterns that defeat even the most sophisticated machine learning detection systems:

# Advanced layered timing for maximum evasion
"storageaccount01" | 
    Invoke-StealthOperation -DelayType BusinessHours -Country "ES" -MinDelay 2 -MaxDelay 20 |
    Invoke-StealthOperation -DelayType Random -MinDelay 2 -MaxDelay 8 -Jitter 0.4 | ForEach-Object {
        Get-StorageContainerList -Name $_
    }

Operational Implementation and Evasion Optimization

The function integrates with the BlackCat attack framework through specialized pipeline processing optimized for large-scale reconnaissance operations. Attack payloads process individually through the pipeline rather than loading entire target collections into memory, enabling extended campaigns against extensive target lists containing 100,000+ entries without system performance degradation or memory exhaustion that could trigger host-based detection.

# Advanced multi-stage attack chain with escalating evasion
"[email protected]", "[email protected]" | 
    Invoke-StealthOperation -DelayType BusinessHours -Country "UK" -MinDelay 2 -MaxDelay 15 |
    ForEach-Object { Get-EntraInformation -UserPrincipalName $_ } |
    Where-Object { $_.Enabled -eq $true } |
    ForEach-Object { 
        $_.UserPrincipalName | Invoke-StealthOperation -DelayType Progressive -MinDelay 3 -MaxDelay 12 | 
        ForEach-Object { Get-EntraIDPermissions -UserPrincipalName $_ }
    } |
    ForEach-Object {
        $_.AssignedRoles | Invoke-StealthOperation -DelayType Random -MinDelay 1 -MaxDelay 5 |
        ForEach-Object { Get-RoleDefinition -RoleId $_ }
    }

# High-volume target processing with type-specific attack functions
Get-Content massive-targets.txt | Invoke-StealthOperation -DelayType BusinessHours -Country "CN"| ForEach-Object { 
    switch -Regex ($_) {
        '^[\w\.-]+@[\w\.-]+\.\w+$' { Get-EntraInformation -UserPrincipalName $_ }
        'https://.*\.blob\.core\.windows\.net' { Get-PublicBlobContent -BlobUrl $_ -ListOnly }
        '^[a-zA-Z0-9\-]+storage[a-zA-Z0-9\-]*$' { Get-StorageAccountKey -Name $_ }
        '^[a-zA-Z0-9\-]+identity[a-zA-Z0-9\-]*$' { Get-ManagedIdentity -Name $_ }
        '^[a-zA-Z0-9\-]+vault[a-zA-Z0-9\-]*$' { Get-KeyVaultSecret -VaultName $_ }
        default { Find-AzurePublicResource -Name $_ }
    }
}

Technical Implementation and Detection Evasion

Timezone Architecture

The timezone subsystem implements multiple operational security layers:

  • System-native timezone APIs enable precise time calculations that withstand forensic examination
  • Automatic DST transition handling prevents timezone-shift timing anomalies that trigger alerts
  • Graceful UTC fallback when target timezone data is unavailable prevents operational failures

Exploitable Cultural Patterns

Technical analysis of Azure Sentinel detection rules revealed specific cultural timing patterns that create detection blind spots:

  • Spain/Italy: Siesta and riposo periods (14:00-17:00) represent critical avoidance windows. Activity during these periods immediately triggers behavioral anomaly detection, as legitimate users typically don't perform administrative tasks during these culturally-specific rest times.
  • France: The legally mandated 35-hour work week creates predictable user patterns that can be mathematically modeled for detection evasion.
  • China: Midday rest periods (12:00-13:30) represent critical avoidance windows where activity is flagged as suspicious, as legitimate users observe these culturally-specific break times and don't perform administrative operations.
  • Brazil: Early business hours (07:00-16:00) create unique timing opportunities absent in European and North American systems.

Adaptive Defensive Countermeasures

An advanced self-modifying timing algorithm emerged from extended engagement with Azure environments deploying Microsoft Sentinel:

# Adaptive timing algorithm with defensive countermeasures
$operationPhases = @(
    @{Function = "Find-AzurePublicResource"; Category = "Reconnaissance"; Target = "contoso"},
    @{Function = "Get-EntraInformation"; Category = "Discovery"; Target = "admin"},
    @{Function = "Get-ManagedIdentity"; Category = "Credential Access"; Target = "service-identity"}
)

$operationPhases | ForEach-Object {
    $startTime = Get-Date
    $_.Target | Invoke-StealthOperation -DelayType Progressive -MinDelay 1 -MaxDelay 10 | ForEach-Object { 
        switch ($_.Category) {
            "Reconnaissance" { Find-AzurePublicResource -Name $_ }
            "Discovery" { Get-EntraInformation -UserPrincipalName $_ }
            "Credential Access" { Get-ManagedIdentity -Name $_ }
        }
    }
    $duration = (Get-Date) - $startTime
    
    # Dynamic defense response based on target system behavior
    if ($duration.TotalSeconds -lt 1) {
        Write-Host "Fast response detected - implementing exponential countermeasures" -ForegroundColor Yellow
        $nextDelayType = "Exponential"  # Target has advanced monitoring - increase evasion
    } elseif ($duration.TotalSeconds -gt 30) {
        Write-Host "Slow response detected - maintaining progressive timing" -ForegroundColor Green  
        $nextDelayType = "Progressive"  # Target has minimal monitoring - maintain approach
    } else {
        Write-Host "Normal response detected - continuing with current strategy" -ForegroundColor Cyan
        $nextDelayType = "Progressive"
    }
}

This approach monitors how quickly the target responds and adjusts the stealth pattern accordingly. Fast responses suggest high-performance monitoring, so the script automatically becomes more cautious.

Operational Guidelines for Red Teams

Implementing cultural intelligence in evasion strategies requires understanding both technical and operational tradecraft considerations. Cultural timing is not merely a detection evasion techniqueβ€”it represents a comprehensive methodology for modeling expected target behavior patterns to blend offensive operations seamlessly into legitimate activity signatures. Key tactical considerations for red teams include: strategic selection of appropriate timing algorithms for each MITRE ATT&CK phase, documentation of timing strategies for post-engagement analysis, continuous assessment of target monitoring capabilities, and adaptation to region-specific detection rules that are calibrated differently across global cloud environments.

Red Team Operational Guidelines

  • Begin with conservative timing profiles, then calibrate based on observed defensive responses
  • Document all timing strategies used during engagements for team knowledge transfer
  • Implement real-time monitoring of system response patterns to detect advanced defensive countermeasures
  • Apply business hours algorithms selectively for high-value, high-risk operational phases

The modular design enables further weaponization through multiple extension vectors: adding additional cultural profiles to the business hours database, implementing specialized timing algorithms for specific defensive environments, and integrating external threat intelligence to adapt timing patterns based on known detection rules. This flexible architecture enables offensive operators to adapt evasion techniques to evolving defensive capabilities.

Tactical Awareness System

The minimal-footprint emoji feedback system was designed for operational efficiency during extended attack campaigns. When operations span multiple days, immediate status assessment becomes critical for maintaining strategic awareness:

# Operational status during Spanish cultural timing attack
VERBOSE: πŸš€ Starting stealth pipeline with BusinessHours timing
VERBOSE: 🏒 Using country-specific configuration: ES
  🏒 Stealth delay: 12s (BusinessHours (ES))
  🏒 Stealth delay: 8s (BusinessHours (ES))
  πŸŒ… Waiting 45m until ES siesta/lunch break ends...
  🏒 Stealth delay: 6s (BusinessHours (ES))
VERBOSE: βœ… Stealth pipeline completed for 25 items

The tactical emoji system provides critical operational intelligence at a glance:

  • 🏒 vs 🌍: Distinguishes cultural evasion from generic timezone masking
  • πŸŒ… vs πŸŒ™: Differentiates wait categories (siesta vs overnight)
  • πŸ“ˆ πŸš€ 🎲: Indicates active evasion strategy
  • ⚠️: Signals operational security issues requiring immediate attention

This minimalist communication protocol increases operational tempo during complex campaigns and prevents configuration errors that could compromise the entire attack operation.

Advanced Weaponization and Future Development

The modular architecture enables continuous enhancement of the offensive capabilities:

  • Extend the cultural database with additional regional profiles
  • Implement specialized evasion algorithms for specific defensive products
  • Integrate external threat intelligence for adaptive timing modification

Invoke-StealthOperation represents an evolution in Azure attack methodology by leveraging cultural intelligence as an offensive weapon. Rather than attempting to bypass detection systems through technical means alone, it exploits fundamental assumptions in behavioral analytics about how legitimate users interact with systems.

The function achieves its effectiveness through mathematical modeling of human behavior patterns. By precisely replicating these patterns rather than fighting against them, it renders many behavioral detection systems effectively blind to the attack operation.

Implementation for Red Team Operations

The BlackCat toolkit is available at github.com/azurekid/blackcat, providing a comprehensive Azure security testing platform. The Invoke-StealthOperation function integrates with all BlackCat reconnaissance and exploitation modules through PowerShell pipeline architecture for seamless implementation in existing red team workflows.

For air-gapped or operationally constrained environments, a lightweight implementation is available as a standalone Gist containing only the essential cultural timing algorithms that can be integrated into custom red team tooling.

Built-in parameter validation ensures rapid deployment during time-sensitive operations without introducing configuration errors that could compromise operation security. Command completion provides efficient access to available evasion strategies:

Invoke-StealthOperation -Country <TAB> -DelayType BusinessHours

# Operational validation
"target.com" | Invoke-StealthOperation -Country ES -DelayType BusinessHours -Verbose
# VERBOSE: 🏒 Using country-specific configuration: ES
#   🏒 Stealth delay: 8s (BusinessHours (ES))

Red teams should start with native regional business hours as a calibration baseline, then implement targeted cultural patterns based on target geography and observed defensive capabilities. The tactical feedback system provides immediate differentiation between cultural pattern implementation (🏒) and generic timezone configuration (🌍), preventing tactical errors that could expose operations to detection.

The ultimate measure of red team operational success is the inability of defensive systems to distinguish your activities from legitimate administrative operations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment