t3l3machus
commented
1 year ago @injuxtice the IEX variation will get flagged as well, it's inevitable. If you generate a payload using the "exec_outfile" argument which writes and executes commands from a file will also most likely not get detected. I've made videos presenting ideas on how to manually obfuscate and bypass detection.
I have tested the payloads through “Cortex XDR” EDR and, whilst a good percentage of the payloads are detected, some make it through.
It looks like that when “Invoke-Expression” is used, this string is detected by XDR, even if it is obfuscated:
e.g. $fb=inV'oKe-EXp'resSION
However, when the alias of the command is used “iex”, the payload is undetected.
e.g. $fa4=i'ex'