← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential In-Memory Execution Using Reflection.Assembly

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1620
Rule sourcerules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml
title: Potential In-Memory Execution Using Reflection.Assembly
id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
status: test
description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
    - attack.defense-evasion
    - attack.t1620
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains: '[Reflection.Assembly]::load'
    condition: selection
falsepositives:
    - Legitimate use of the library
level: medium