This detection rule identifies potential in-memory execution techniques that leverage the .NET Reflection library, specifically focusing on the use of `Reflection.Assembly` to load assemblies dynamically. The rule is designed to detect PowerShell scripts that utilize the `[Reflection.Assembly]::Load` method, a common tactic used by threat actors to evade conventional detection mechanisms by executing code directly in memory rather than on disk. This is significant due to the increased stealth associated with in-memory execution, making it more challenging for traditional security solutions that inspect disk-based operations. The detection is contingent upon Script Block Logging being enabled, as it captures the execution of PowerShell scripts, allowing for the actionable identification of suspicious activities through specific command text patterns. The main false positive scenario involves legitimate usage of the Reflection library in enterprise environments.