
Summary
This detection rule identifies the use of .NET Reflection in PowerShell scripts, specifically the invocation of `Reflection.Assembly.Load`, which allows attackers to load executables (PEs) and dynamic link libraries (DLLs) directly into memory without writing them to disk. This technique can bypass conventional file-based security solutions. The rule monitors Windows environments for such activities by analyzing PowerShell script block logs. The investigation guide attached to the rule recommends examining script content, analyzing process chains, and correlating with other suspicious activities on the host to gather further context. It also provides insights into potential false positives and emphasizes the importance of PowerShell Script Block Logging being enabled for effective detection. Attack techniques outlined under the MITRE ATT&CK framework, such as Reflective Code Loading and Process Injection, suggest that this behavior is indicative of advanced evasion tactics used by malicious actors. The rule supports organizations in uncovering potentially dangerous executions of code that could lead to internal breaches or data exfiltration.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Application Log
- Command
- Script
- Windows Registry
ATT&CK Techniques
- T1620
- T1055
- T1055.001
- T1055.002
- T1059
- T1059.001
Created: 2021-10-15