SenseIR.exe

2023-09-13 by Adam Ponce (@adamcysec)

How much can an EDR look like malware?

Microsoft Defender Advanced Threat Protection uses SenseIR.exe to launch Powershell scripts that then uses .NET function [System.IO.File]::Open() to read another Powershell script into memory for execution. The second Powershell script executed has its parameters passed in as base64-encoded text.

Documentation