splApache-2.0from splunk/security_content
PowerShell Loading DotNET into Memory via Reflection
The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
Quality
3
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*",
"*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*",
"*.LoadWithPartialName*", "*ReflectionOnlyLoad*", "*Reflection.Assembly]::('daoL'[-1..-4] -join '')*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_loading_dotnet_into_memory_via_reflection_filter`