Detectionmediumtest

Potential In-Memory Execution Using Reflection.Assembly

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Sun Dec 25ddcd88cb-7f62-4ce5-86f9-1704190feb0awindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Script Block Logging must be enable

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: '[Reflection.Assembly]::load'
    condition: selection

False Positives

Legitimate use of the library

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

ddcd88cb-7f62-4ce5-86f9-1704190feb0a

Status

test

Level

medium

Type

Detection

Created

Sun Dec 25

Author

Path

rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml

Raw Tags

attack.defense-evasionattack.t1620