Red: Forgot about slinging binaries, and set aside Powershell. What does it take to level attacks against an enterprises that take a positive approach to endpoint telemetry and security: application whitelisting, exploit mitigation, virtualization-based security?
Blue: Forget about static indicators, and assume that even the most clever patterns of attack depend on awareness of a specific technique (albeit not a specific implementation). What does it take to build a defensive strategy that assumes as little as possible, favoring suppression of the good over alerting to the bad?