PowerShell Loading DotNET into Memory via Reflection

name: PowerShell Loading DotNET into Memory via Reflection
id: 85bc3f30-ca28-11eb-bd21-acde48001122
version: 16
date: '2026-03-31'
author: Michael Haag, Teoderick Contreras Splunk
status: production
type: Anomaly
data_source:
    - Powershell Script Block Logging 4104
description: The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
search: |
    `powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*",
    "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*",
    "*.LoadWithPartialName*", "*ReflectionOnlyLoad*", "*Reflection.Assembly]::('daoL'[-1..-4] -join '')*")
    | fillnull
    | stats count min(_time) as firstTime max(_time) as lastTime
    by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `powershell_loading_dotnet_into_memory_via_reflection_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: False positives should be limited as day to day scripts do not use this method.
references:
    - https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0
    - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
    - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user_id$"
      search: '%original_detection_search% | search  dest = "$dest$" user_id = "$user_id$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$$", "$user_id$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory in host $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user_id
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Winter Vivern
        - AgentTesla
        - AsyncRAT
        - Hermetic Wiper
        - Malicious PowerShell
        - Data Destruction
        - 0bj3ctivity Stealer
        - Hellcat Ransomware
        - Axios Supply Chain Post Compromise
    asset_type: Endpoint
    mitre_attack_id:
        - T1059.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog