T1620 Reflective Code Loading Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ReflectiveLoadKeywords = dynamic([
    "Assembly.Load",
    "[System.Reflection.Assembly]",
    "Reflection.Assembly::Load",
    "Invoke-ReflectivePEInjection",
    "Invoke-Shellcode",
    "ReflectivePELoader",
    "LoadLibraryR",
    "NtAllocateVirtualMemory",
    "VirtualAllocEx",
    "::UnsafeLoadFrom",
    "AssemblyLoad"
]);
let Base64AssemblyPatterns = dynamic([
    "FromBase64String",
    "Convert]::FromBase64",
    "[Convert]::From"
]);
let SuspiciousHosts = dynamic([
    "powershell.exe", "pwsh.exe", "cscript.exe",
    "wscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe"
]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (SuspiciousHosts)
    or InitiatingProcessFileName in~ (SuspiciousHosts)
| where ProcessCommandLine has_any (ReflectiveLoadKeywords)
    or ProcessCommandLine has_any (Base64AssemblyPatterns)
    or InitiatingProcessCommandLine has_any (ReflectiveLoadKeywords)
| extend CmdLineLen = strlen(ProcessCommandLine)
| extend EncodedPayloadLikely = iff(
    ProcessCommandLine matches regex @"[A-Za-z0-9+/]{200,}={0,2}",
    true, false)
| extend Severity = case(
    ProcessCommandLine has "Invoke-ReflectivePEInjection", "Critical",
    ProcessCommandLine has "Invoke-Shellcode", "Critical",
    ProcessCommandLine has "Assembly.Load" and EncodedPayloadLikely == true, "High",
    ProcessCommandLine has "Assembly.Load", "Medium",
    "Medium")
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    CmdLineLen,
    EncodedPayloadLikely,
    Severity,
    SHA256,
    ProcessId,
    InitiatingProcessId
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine), parent=lower(ParentImage), proc=lower(Image)
| where match(cmdline, "assembly\.load|\[system\.reflection\.assembly\]|reflection\.assembly::load")
    OR match(cmdline, "invoke-reflectivepeinjection|invoke-shellcode|reflectivepeloader|loadlibraryr")
    OR match(cmdline, "ntallocatevirtualmemory|virtualallocex")
    OR (match(cmdline, "frombase64string") AND match(cmdline, "assembly|load|clr"))
| where match(proc, "powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe")
    OR match(parent, "powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe")
| eval CmdLineLength=len(CommandLine)
| eval EncodedPayload=if(match(CommandLine, "[A-Za-z0-9+/]{200,}={0,2}"), "true", "false")
| eval RiskScore=case(
    match(cmdline, "invoke-reflectivepeinjection|invoke-shellcode"), 100,
    match(cmdline, "assembly\.load") AND EncodedPayload=="true", 80,
    match(cmdline, "assembly\.load"), 60,
    match(cmdline, "frombase64string") AND match(cmdline, "assembly"), 65,
    true(), 50)
| eval Severity=case(RiskScore>=90, "Critical", RiskScore>=70, "High", RiskScore>=50, "Medium", true(), "Low")
| table _time, ComputerName, User, Image, CommandLine, ParentImage, ParentCommandLine, CmdLineLength, EncodedPayload, RiskScore, Severity, Hashes
| sort - RiskScore, _time

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Development environments running PowerShell build scripts that compile and load C# assemblies inline using Add-Type or Assembly.Load
Endpoint security products (EDR/AV) that perform reflective module injection as part of their normal operation
Enterprise automation frameworks (Ansible, Chef, Puppet) that dynamically load .NET assemblies to execute management tasks

Elastic Security (EQL)

eql

process where process.name in ("powershell.exe", "pwsh.exe", "msbuild.exe", "regsvcs.exe", "regasm.exe", "installutil.exe", "csc.exe") and (process.command_line : ("*Assembly.Load*", "*[Reflection.Assembly]*", "*loadfrom*", "*[Runtime.InteropServices.Marshal]*", "*EncodedCommand*") or process.command_line : ("*-noprofile*", "*-noninteractive*", "*-windowstyle hidden*") and length(process.command_line) > 500)

high severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%Assembly.Load%' AND "CommandLine" ILIKE '%[Convert]::FromBase64%' THEN 90 WHEN "CommandLine" ILIKE '%Reflection.Assembly%' OR "CommandLine" ILIKE '%loadfrom%' THEN 80 WHEN "CommandLine" ILIKE '%EncodedCommand%' AND LEN("CommandLine") > 500 THEN 75 ELSE 55 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%Assembly.Load%' OR "CommandLine" ILIKE '%Reflection.Assembly%' OR "CommandLine" ILIKE '%loadfrom%' OR ("CommandLine" ILIKE '%EncodedCommand%' AND "CommandLine" ILIKE '%noprofile%')) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log

Required Tables

events

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows | json auto | where (process_name in ("powershell.exe", "pwsh.exe", "msbuild.exe", "regsvcs.exe", "regasm.exe") and (command_line matches "*Assembly.Load*" or command_line matches "*Reflection.Assembly*" or command_line matches "*loadfrom*")) or (process_name = "powershell.exe" and command_line matches "*EncodedCommand*" and length(command_line) > 500) | if(matches(command_line, "*Assembly.Load*") and matches(command_line, "*FromBase64*"), "Critical", if(matches(command_line, "*Reflection.Assembly*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, host_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events

Required Tables

endpoint/windows

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

Google Chronicle / SecOps

yaral

rule detect_reflective_code_loading {
  meta:
    author = "Argus"
    description = "Detects reflective code loading via Assembly.Load and similar techniques"
    severity = "HIGH"
    technique = "T1620"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `Assembly\.Load|\[Reflection\.Assembly\]|loadfrom|\[Runtime\.InteropServices\.Marshal\]`) nocase or
      (re.regex($e.target.process.file.full_path, `msbuild\.exe|regsvcs\.exe|regasm\.exe|installutil\.exe`) nocase and
       re.regex($e.target.process.command_line, `\.dll$|\.cs$`) nocase)
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /powershell|pwsh|msbuild|regsvcs|regasm|installutil|csc\.exe/i
| CommandHistory = /Assembly\.Load|Reflection\.Assembly|loadfrom|EncodedCommand/i
| case {
    CommandHistory = /Assembly\.Load.*FromBase64/i | LoadType := "Base64 Assembly Load";
    CommandHistory = /\[Reflection\.Assembly\]/i | LoadType := "Reflection Assembly";
    CommandHistory = /loadfrom/i | LoadType := "LoadFrom";
    ImageFileName = /msbuild|regsvcs|regasm/i | LoadType := "LOLBin Reflective Load";
    * | LoadType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, LoadType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

Reflective Code Loading

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections