Many security breaches begin with simple phishing and social engineering attacks that steal passwords or create remote access backdoors…. But what happens next? Is that the user reading the file server or a threat actor? Understanding the techniques of the attacker as they hunt for critical data and move laterally through your network can turn their irregular methods into our strongest detection capability. We will explore some “living off the land” attacks that take advantage of poorly configured services and flip them into our best detection alarms.