Red Team Lessons: Bypassing EDR with Living-off-the-Land Techniques

Engagement Overview

The target was a financial services firm that had recently completed a significant security uplift program: new CrowdStrike Falcon deployment, Defender for Endpoint integration, application allowlisting via AppLocker, and mandatory MFA everywhere. By conventional metrics, it was a well-defended environment.

Our objective: demonstrate whether a motivated attacker could still achieve domain compromise. We had 5 days with a narrow initial foothold — a single phishing email landing in an employee’s inbox.

The Detection Landscape

Modern EDR products excel at detecting known malware signatures, common exploit shellcode, and process injection techniques documented in the MITRE ATT&CK framework. What they consistently struggle with is attacker activity that is indistinguishable from legitimate administrative work.

Living-off-the-land (LOTL) attacks exploit this gap. Instead of introducing new executables, the attacker repurposes system binaries — certutil, wmic, mshta, regsvr32, PowerShell — that are trusted by both the operating system and security tools. The attack looks like IT doing IT things.

The Kill Chain

Initial Access (Hour 0): The phishing email contained a macro-enabled Word document disguised as a payroll update. The macro used certutil to download a stage-two payload — a PowerShell script — from a legitimate-looking domain registered two weeks prior. No binary was dropped.

Execution (Hour 1): The PowerShell script patched the AMSI (Antimalware Scan Interface) scan buffer in the current process before executing any suspicious content. This one-line technique, publicly documented since 2016, still evades most AMSI implementations when delivered obfuscated.

Persistence (Hour 2): A scheduled task was created via schtasks.exe — a native Windows binary — configured to run at logon as SYSTEM. The task name and description mimicked legitimate Windows Update components.

Lateral Movement (Hours 3–4): WMI was used to execute commands on adjacent systems without touching the network share. No new processes were spawned in a way that looked unusual from the EDR’s perspective; WMI execution appeared as WmiPrvSE.exe spawning child processes, which is entirely normal behavior.

Domain Compromise (Hour 4): By targeting a system where a domain admin had recently authenticated, we were able to harvest cached credentials using a legitimate memory forensics technique and use them to authenticate to the domain controller.

What Defenders Can Do

LOTL attacks are hard to prevent entirely, but they’re more detectable than raw malware if you’re looking in the right places.

WMI auditing is disabled by default and generates significant volume when enabled, but targeted alerting on WMI subscriptions and remote WMI execution from non-administrative workstations is high-signal and low-noise.

PowerShell ScriptBlock logging captures the actual deobfuscated content being executed, circumventing most obfuscation. The AMSI bypass we used patches memory — but the patching action itself is detectable via kernel callbacks on patched systems.

Scheduled task monitoring should alert on any task created outside of known provisioning systems (SCCM, Intune). The signal-to-noise ratio here is excellent once you establish a baseline.

Privileged account monitoring — specifically alerting when domain admin credentials are used from workstations rather than dedicated privileged access workstations — would have caught our lateral movement before we reached the domain controller.

The defenders had every tool they needed. What they lacked was the tuned detection logic to turn those tools into detections.