"living-off-the-land binaries"
Now that's new to me. What on Earth is that ? Notepad ?
The US government's alert three months ago warning businesses and government agencies about the threat of BlackByte has apparently done little to slow down the ransomware group's activities. Since March, the group, and other gangs using its malware, have continued to attack targets around the world, redesigning their website …
"and make themselves persistent in the network by adding additional admin accounts"
It's a trivial matter to create a small script that will return the number of members in a domain admins group. If the number changes without prior knowledge or agreement, send an alert to someone who needs to know.
It's not a protection or a defence but anything that shortens the time between intruders gaining access and that intrusion being discovered has to be a good thing.