This detection rule is designed to identify potential DLL injection attempts using PowerShell, particularly Reflective DLL Injection techniques. DLL injection is a method where a malicious actor injects a Dynamic Link Library (DLL) into a running process to execute its code. Reflective DLL Injection enhances traditional methods by sourcing the DLL from raw data rather than relying on a disk path, making it less detectable. This rule targets behavior associated with the Windows system processes, looking for specific functions often exploited during DLL injection attacks, such as 'VirtualAlloc', 'WriteProcessMemory', 'CreateRemoteThread', and 'VirtualFree'. The rule is particularly relevant for detecting actions by threat actors such as Carbanak, TA2541, and TA551, and is associated with malware like IcedID. Utilizing a combination of parsing and evaluating techniques within the Splunk platform, it aggregates the identified events over a specified timeframe, ultimately allowing security teams to monitor and respond to potential threats involving process-level manipulations.