sigmamediumHunting

Potential In-Memory Execution Using Reflection.Assembly

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  ScriptBlockText|contains: "[Reflection.Assembly]::load"
condition: selection

Author

frack113

Created

2022-12-25

Data Sources

windowsps_script

Platforms

windows

References

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50

Tags

attack.defense-evasionattack.t1620

Raw Content

title: Potential In-Memory Execution Using Reflection.Assembly
id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
status: test
description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
    - attack.defense-evasion
    - attack.t1620
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains: '[Reflection.Assembly]::load'
    condition: selection
falsepositives:
    - Legitimate use of the library
level: medium