Name:PowerShell Loading DotNET into Memory via Reflection id:85bc3f30-ca28-11eb-bd21-acde48001122 version:5 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:False positives should be limited as day to day scripts do not use this method. References: -https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0 -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: name:'View the detection results for - "$Computer$" and "$UserID$"' search:'%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Computer$" and "$UserID$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Winter Vivern' - 'AgentTesla' - 'AsyncRAT' - 'Hermetic Wiper' - 'Malicious PowerShell' - 'Data Destruction' asset_type:Endpoint confidence:80 impact:70 message:A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$ mitre_attack_id: - 'T1059' - 'T1059.001' observable: name:'Computer' type:'Hostname' - role: - 'Victim' name:'UserID' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'ScriptBlockText' - 'Opcode' - 'Computer' - 'UserID' - 'EventCode' risk_score:56 security_domain:endpoint
