Detecting attackers who use your systems exactly as designed
What Is a Doppelgänger Attack?
A Doppelgänger attack is one where:
- Credentials are valid
- Actions are permitted
- Features are used as designed
- Logs show normal activity
- The only anomaly is intent
This is not "living off the land."
This is living inside the workflow.
Uber 2022: A Technical Breakdown
Identity Sampling
MFA fatigue → behavioral mapping.
Shape Acquisition
VPN + SSO → legitimate access patterns.
Trust Embedding
Internal network → automation scripts → privileged credentials.
Workflow Inheritance
Admin dashboards → internal tools → no malware.
Intent Substitution
Legitimate sequences → malicious objectives.
Result: Uber's security tools detected nothing. The attacker announced themselves.
SMB Composite Case (22-Person Healthcare Practice)
Identity Sampling
Compromised email → workflow observation.
Shape Acquisition
Matching login times → matching cadence.
Trust Embedding
Shared folders → EHR portal → legacy service account.
Workflow Inheritance
Backup automation → file access → slow exfiltration.
Intent Substitution
Normal activity → malicious sequence.
Result: Every log is clean. Every action is permitted. Only the intent is wrong.
The Doppelgänger Kill Chain
| Phase | Action | Detection Gap |
|---|---|---|
| Identity Sampling | Observe behavior, timing, cadence | Passive recon leaves no logs |
| Shape Acquisition | Learn operational signature | Learning looks like normal access |
| Trust Embedding | Enter trust graph via valid creds | Valid auth = valid session |
| Workflow Inheritance | Use existing automation | Sanctioned tools, expected telemetry |
| Intent Substitution | Malicious goals, legitimate sequences | Intent is invisible to machines |
No exploits. No malware. No signatures.
Just understanding.
Why Defenders Miss Doppelgängers
Because defenders measure:
| What Defenders See | What Matters |
|---|---|
| Events | Sequences |
| Permissions | Capabilities |
| Anomalies | Narratives |
| Compliance | Consequence |
| Intended behavior | Lived reality |
The Doppelgänger exploits the gap between what the system allows and what humans intend.
Detection Requirements
Doppelgänger detection requires:
- Sequence-aware analytics—Alert on suspicious sequences, not just events
- Trust-graph traversal—Map and monitor trust chain movement
- Capability mapping—What can this identity do vs. what do they normally do?
- Drift-aware baselines—Per-identity baselines, not global averages
- Identity-centric telemetry—Correlate actions by identity across systems
Traditional IOCs are useless.
Engineering Controls
1. Just-In-Time Privilege Elevation
No standing admin access.
Elevation requires:
- Explicit request
- Justification
- Time-bound scope
- Audit trail
The Doppelgänger relies on inherited privilege. Remove standing privilege, force elevation.
2. Drift Monitoring
Treat drift as telemetry:
- "Temporary" permissions that persist
- Service accounts with expanding access
- Legacy integrations still running
- Undocumented automation
The Doppelgänger lives in drift.
3. Trust-Chain Visualization
Map your trust relationships:
- What trusts what?
- How far does trust propagate?
- Where are the shortcuts?
Every trust chain is a potential Doppelgänger route.
4. Sequence-Based Detection
IF user accesses HR_system
AND THEN queries service_principal_keys
WITHIN 30 minutes
THEN escalate
Each action is legitimate. The sequence is not.
5. Identity-Centric Baselines
Build baselines per identity:
- What does this user normally access?
- When do they normally work?
- What sequences are normal for their role?
Global baselines average away the signal.
Why SMBs Are Especially Vulnerable
| Enterprise Reality | SMB Reality |
|---|---|
| Dedicated security team | Part-time IT contractor |
| Role-based access | Overlapping roles |
| Individual credentials | Shared credentials |
| Documented workflows | Tribal knowledge |
| Change management | "We'll fix it later" |
| SIEM + SOC | Basic logging, if any |
The Doppelgänger doesn't need sophistication.
It needs predictable gaps.
SMB environments are full of them.
The Gap Between Allowed and Appropriate
The real attack surface:
| Allowed | Appropriate? |
|---|---|
| CI/CD reads config files | At 3 AM, files it's never accessed? |
| Help desk resets passwords | Six executive passwords in ten minutes? |
| Backup service accesses shares | Shares containing M&A documents? |
| Admin queries Azure AD | Every user's group membership in one hour? |
The Doppelgänger operates in this gap.
Architectural Implications
- Reduce the trust graph—Every trust relationship is a potential path
- Segment aggressively—Assume every identity is potentially compromised
- Implement JIT everywhere—No standing privilege
- Monitor sequences, not just events—Correlate across time and systems
- Know your own shape—If you don't know what legitimate looks like, you can't recognize imposters
Final Thought
The Doppelgänger is not a hacker.
It is the shadow of your own system—the version that behaves exactly as designed, but for the wrong reasons.
The most dangerous intrusion is the one that looks like work.
For the epistemological framework behind this model, see The Epistemology of Offense and Defense: A Foundational Framework.
For the mythic-operational context, see The Doppelgänger Framework on Substack.
Related Canon
This framework connects to my technical series on dev.to:
Myth-Tech AI/ML Security Framework—A 17-part series mapping mythological archetypes to AI/ML security patterns, including drift detection, memory architecture, and adversarial dynamics.
Provenance
I've been developing and publishing the Doppelgänger Framework in public since late 2025—across Substack, dev.to, Zenodo, and in my books. If you've encountered similar language or concepts elsewhere, this is the origin point.
Selected Zenodo publications (DOI-timestamped):
- MFR x Myth-Tech — Dec 25, 2025
- EIOC: Emotional Indicators of Compromise — Dec 29, 2025
- The EIOC Fork: Dual-Path Framework — Jan 4, 2026
- The Myth-Tech Bestiary — Jan 12, 2026
- The 22 Arcana: A Pattern Language for Systemic Distortion — Jan 16, 2026
- Somatic Signatures of the 22 Arcana — Jan 16, 2026
Full archive: ORCID 0009-0000-1964-6440
Books & Frameworks: Gumroad
This framework underlies the care-based security methodology, the Myth-Tech canon, and the sociotechnical approach I use in my consulting work. The lineage is here.
This framework is part of the Soft Armor Labs canon.
Top comments (0)