← Library
kqlElastic-2.0from elastic/detection-rules

Suspicious .NET Reflection via PowerShell

Quality
92
FP risk
Forks
0
Views
0
Rule sourcerules/windows/defense_evasion_posh_assembly_load.toml
event.category:process and host.os.type:windows and
(
  powershell.file.script_block_text : (
    "[System.Reflection.Assembly]::Load" or
    "[Reflection.Assembly]::Load" or
    "Assembly.Load("
  ) and
  powershell.file.script_block_text : (
      "FromBase64String" or "GzipStream" or "DeflateStream" or "IO.Compression" or
      "MemoryStream" or "DownloadData" or "WebClient" or "ReadAllBytes"
  )
)