This analytic detection rule identifies the use of PowerShell scripts that load .NET assemblies into memory via reflection. Reflection is a technique commonly leveraged by attackers to execute code in memory, facilitating malicious actions such as privilege escalation and establishing unauthorized access. The rule utilizes PowerShell Script Block Logging (EventCode=4104) to capture the details of the executed scripts, focusing particularly on any commands that invoke reflection methods such as `Reflection.Assembly.Load`. Given the sophistication of this technique, its discovery in an organizational environment could indicate an attempt to bypass typical security defenses and should be treated as a serious security incident warranting further investigation. The implementation of this rule requires enabling PowerShell Script Block Logging across the target endpoints, ensuring that the necessary data is collected to fuel this detection.