2023-09-13 by Adam Ponce (@adamcysec)
How much can an EDR look like malware?
Microsoft Defender Advanced Threat Protection uses SenseIR.exe to launch Powershell scripts that then uses .NET function [System.IO.File]::Open()
to read another Powershell script into memory for execution. The second Powershell script executed has its parameters passed in as base64-encoded text.