In modern cybersecurity, there is a dangerous assumption that "more telemetry equals more security." Most leaders feel confident because they have agents on every endpoint and a SIEM ingesting millions of events. However, having a tool is not the same as having a detection.
At Lares, we have provided adversarial coaching and testing since 2008. Our methodology follows the Purple Team Exercise Framework (PTEF), ensuring that every engagement is grounded in real-world Cyber Threat Intelligence (CTI). True Purple Teaming is about defenders who learn from attackers, a collaborative cycle of emulation, detection, and remediation that builds measurable Threat Resilience.
Based on our recent adversarial collaboration engagements, here are the top five TTPs that consistently bypass traditional security controls and expose critical visibility gaps.
1. Reflective Assembly Loading (PowerShell)
PowerShell remains a primary choice for attackers, but the way they use it has evolved far beyond simple scripts. Reflective assembly loading allows an attacker to load a .NET binary directly into memory without it ever touching the disk.
Why it’s missed: Many organizations assume their EDR handles this by default. However, we consistently see two major failure points:
- Disabled ScriptBlock Logging: Without PowerShell ScriptBlock logging (Event ID 4104) properly configured, defenders are blind to the actual code being executed. Even when enabled, Windows Event log settings often truncate this telemetry, leaving defenders with half a story.
- The .NET Blind Spot: Many EDRs struggle to hook into the .NET runtime effectively. If the security tool is not specifically configured to monitor .NET memory or look for obfuscation techniques like Base64 or XOR encoding, the reflective load happens in total silence.
The Lares Insight: It is not enough to look for "powershell.exe" in your logs. You must build detections that specifically look for the functionality that enables reflective loading, such as [System.Reflection.Assembly]::Load. If your EDR isn't monitoring the runtime, you aren't seeing the attack.
2. Cloud Storage for Ingress and Exfiltration
Attackers love a path of least resistance, and nothing is more resistant to detection than traffic that looks exactly like a normal Tuesday at the office.
Why it’s missed: The primary reason for this blind spot is the "Normal Noise" factor. When an attacker uses OneDrive, Google Drive, or Dropbox to bring tools into an environment (ingress) or send data out (exfil), it blends perfectly with legitimate business operations.
- The Trust Trap: Most organizations allow these domains globally to avoid breaking business workflows.
- Volume vs. Intent: Traditional alerts are often tuned for "large" data transfers. A clever adversary can trickle data out over time or use legitimate cloud sync clients to mask their intent.
The Lares Insight: During our engagements, we find that the most successful exfiltration isn't the one that bypasses the firewall. It is the one that the firewall thinks is a user backing up their "Documents" folder. Defenders need to move beyond simple domain whitelisting and start looking at the behavior of the accounts and processes interacting with these services.
3. Bypassing Security Controls (AMSI, ETW, and EDR)
Defenders rely on tools like the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to provide the telemetry their EDRs need. However, these are not infallible barriers; they are often the first things an adversary attempts to blind.
Why it’s missed: The most common failure we see is a misplaced trust in Signed Binary Proxy Execution. Just because a file has a valid Microsoft signature doesn't mean it is behaving safely.
- The "InstallUtil" Trick: Our team frequently uses InstallUtil.exe to bypass security controls. Since it is a trusted, signed Windows utility, many EDRs allow it to execute code that would be immediately blocked if it came from an unsigned source.
- The "ClickFix" and Finger.exe: We are seeing massive success with techniques like those used by the KongTuke phishing group. By utilizing the finger.exe LOLBin, attackers can reach out to external C2 servers using a utility that most SOCs haven't looked at in a decade.
The Lares Insight: If your detection strategy relies on the reputation of the file alone, you are leaving the door open. We regularly deploy PowerShell scripts specifically designed to bypass AMSI protection, and they remain undetected because the environment isn't looking for the impaired defense event itself.
4. Exploiting Active Directory Certificate Services (ADCS)
ADCS is often the forgotten corner of the identity stack, yet it provides some of the most potent escalation paths available to an attacker.
Why it’s missed: ADCS is notoriously difficult to monitor effectively.
- Logging Volume: Organizations often avoid enabling full ADCS logging because the volume of data can quickly overwhelm a SIEM and blow through ingestion budgets.
- The Complexity Gap: Even when telemetry is collected, the logs are not intuitive. Many of the escalation paths—such as stealing or forging authentication certificates (T1649)—leverage legitimate processes and workflows that do not have well-defined owners
- Legitimate Misconfigurations: Because these attacks take advantage of misconfigured templates or permissions that look like standard administrative tasks, building a detection with a low false-positive rate is a massive challenge for most internal teams.
The Lares Insight: Most organizations only realize they have an ADCS issue after an attacker has already forged a certificate and gained persistent access. Moving from "logging everything" to "detecting specific escalation behaviors" is the only way to close this gap.
5. Simulated Ransomware
Ransomware is the nightmare scenario for every CISO, yet many teams are surprised to find they are only prepared to detect the loud precursors, not the actual event.
Why it’s missed: Detection strategies are often heavily weighted toward the early stages of the kill chain—like shadow copy deletion.
- The Encryption Blind Spot: In our engagements, we consistently find that the bulk encryption process and mass file extension changes go completely unnoticed.
- Speed of Detection: Even in environments that do catch the activity, it is often only after 50% or more of the drive has already been encrypted.
- The Language Pivot: We had a recent engagement where a client’s application allow-listing successfully blocked a ransomware executable. However, we simply switched to a Python-based version of the same ransomware, and it ran without a single alert.
The Lares Insight: Ransomware is no longer just a "Windows executable" problem. If your defenses are not looking for the behavior of mass file modification regardless of the language or tool performing it, you aren't actually protected against modern ransomware.
Bonus: The Python Paradox
Python is rapidly becoming the "New PowerShell." It is often allowed to be installed by standard users for productivity, yet its execution frequently bypasses the heavy monitoring and guardrails that organizations have spent years building for PowerShell and Bash. If you aren't monitoring Python execution as closely as you monitor other shell scripts, you have a significant blind spot.
Conclusion: From Collection to Detection
The goal of a Lares Purple Team engagement is to move your organization from "passive logging" to "active defense." Following the PTEF methodology, the end of an exercise is just the beginning of a continuous improvement loop. By simulating realistic attack scenarios and providing immediate feedback, we help your team bridge the visibility gap and ensure your defenses evolve as fast as the threats they face.
Technical Remediation: Closing the Gaps
TTP | Technical Fix / Detection Strategy |
PowerShell Reflection | Enable ScriptBlock Logging (4104); Alert on [System.Reflection.Assembly]::Load. |
Cloud Storage Exfil | Alert on >100 unique destination ports/IPs from a single source in 5 minutes. |
AMSI/ETW Patching | Monitor for ntdll.dll memory protection changes (0x40 to 0x20). |
ADCS Escalation | Audit Event ID 4662; Harden templates to prevent SAN specification. |
Ransomware Precursors | Block/Alert on vssadmin.exe delete shadows and wbadmin delete catalog. |
Bulk File Extension change (ransomware) | KQL-like Pseudo Code: FileRenameEvents | where Timestamp > ago(5m) | extend OldExt = extract(@"\.([^.]+)$", 1, OldFileName) | extend NewExt = extract(@"\.([^.]+)$", 1, NewFileName) | where OldExt != NewExt | summarize Count = count(), Files = make_set(NewFileName) by Account, Process | where Count > 50 |
✍️Contributors:
- Michael Crouch - Adversarial Collaboration / Purple Team Engineer
- Andrew Heller - Marketing Manager
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements
