Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.