The Visibility Gap: 5 Purple Team Tests Your EDR is Probably Missing

Source: Lares

Author: Andrew Heller

URL: https://www.lares.com/blog/5things-your-edr-is-missing/

ONE SENTENCE SUMMARY:

Telemetry volume doesn’t equal detection; Lares purple teaming reveals five evasive TTPs and prescribes behavior-based monitoring to close visibility gaps.

MAIN POINTS:

1. Assuming endpoint agents and SIEM ingestion provide security creates false confidence without detections.
2. Purple Team Exercise Framework uses CTI-driven emulation, validation, and remediation to build threat resilience.
3. Reflective .NET assembly loading in PowerShell evades disk-based controls and runtime-poor EDR visibility.
4. Disabled or truncated PowerShell ScriptBlock logging blinds defenders to executed attacker code.
5. OneDrive/Google Drive/Dropbox enable ingress and exfiltration that blends with normal business traffic.
6. Signed LOLBins like InstallUtil.exe can proxy execution and bypass AMSI/ETW and EDR controls.
7. Under-monitored utilities such as finger.exe enable stealthy outbound C2 communications.
8. ADCS misconfigurations enable certificate-based escalation and persistence that’s hard to log and interpret.
9. Ransomware detection often misses bulk encryption and extension changes, alerting only after major damage.
10. Python execution frequently lacks guardrails, enabling “new PowerShell” abuse outside traditional monitoring.

TAKEAWAYS:

1. Prioritize detections for attacker behaviors, not tool presence or sheer telemetry collection.
2. Enable and correctly size ScriptBlock logging; hunt reflection indicators like Assembly::Load.
3. Replace cloud-domain whitelisting with account/process behavior analytics for sync and exfil patterns.
4. Treat signed binaries as untrusted; alert on defense-impairment and suspicious LOLBin usage.
5. Monitor identity abuse and ransomware outcomes: ADCS escalation signals and mass file rename/modification spikes.