Stealth in Plain Sight: The Hidden Threat of PowerShell Fileless Malware and Its Evasion of Modern EDRs & AVs

These findings illuminate the potential vulnerabilities of current security solutions and highlight the need for enhanced detection strategies against fileless PowerShell threats. By offering critical insights, this research contributes to fortifying cybersecurity defenses against increasingly sophisticated fileless threats. As the frequency of fileless PowerShell attacks, which are exploited by Advanced Persistent Threat (APT) groups and cybercriminals continues to rise the need, for defense measures becomes more crucial than before. This study aims to explore the detection capabilities of defense mechanisms like Endpoint Detection and Response (EDR) and Advanced Antivirus (AV) solutions when faced with these threats. Currently APT groups and cybercriminals are favouring fileless PowerShell scripts due, to their ability to bypass defenses. Furthermore, the absence of antivirus solutions and EDRs can leave organizations exposed to attacks. This trend highlights the timeliness and critical significance of our research. I have developed and tested a novel PowerShell reverse shell, delivered in both PS1 and EXE formats, against sixteen 16 different security solutions. These include both paid and open-source Endpoint Detection and Response (EDR) systems, as well as total security and premium antivirus software. This study uniquely focuses on analyzing the impact of script-to-executable conversion and varying persistence methods on detection rates. Additionally, I evaluated the effect of stealthy functions embedded within the PowerShell scripts. Furthermore, I utilized PowerShell code obfuscation techniques to determine if they could evade current security solutions. Two different types of reverse shells were evaluated in a controlled environment. The initial version, which was publicly shared underwent testing, by the cybersecurity community. On the hand, the second version, which incorporated stealth techniques underwent private testing, on various antivirus and EDR systems. Preliminary results revealed that both the PS1 script and the EXE formats managed to successfully bypass many AVs, EDRs, and XDRs. These findings shed light on the potential vulnerabilities of current security solutions and underscore the need for enhanced detection strategies against fileless PowerShell threats. By offering critical insights, this research contributes to the fortification of cybersecurity defenses against increasingly sophisticated fileless threats.