T1620 Google Chronicle · YARA-L

Detect Reflective Code Loading in Google Chronicle

This detection identifies adversaries loading and executing code directly within process memory to evade disk-based detection controls. Reflective code loading encompasses techniques such as .NET assembly loading via PowerShell's Assembly.Load() method, position-independent shellcode injected into self-owned process memory via VirtualAlloc/CreateThread, ELF or PE loading from anonymous memory regions, and fileless .NET CLR hosting. Because no file is written to disk, traditional file-based AV and EDR telemetry is bypassed; detections must focus on command-line indicators, suspicious memory allocation API call patterns, unusual .NET CLR loading within scripting hosts, and anomalous process behaviors such as spawning threads from heap memory regions.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1620 Reflective Code Loading
Canonical reference
https://attack.mitre.org/techniques/T1620/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule detect_reflective_code_loading {
  meta:
    author = "Argus"
    description = "Detects reflective code loading via Assembly.Load and similar techniques"
    severity = "HIGH"
    technique = "T1620"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `Assembly\.Load|\[Reflection\.Assembly\]|loadfrom|\[Runtime\.InteropServices\.Marshal\]`) nocase or
      (re.regex($e.target.process.file.full_path, `msbuild\.exe|regsvcs\.exe|regasm\.exe|installutil\.exe`) nocase and
       re.regex($e.target.process.command_line, `\.dll$|\.cs$`) nocase)
    )
  condition:
    $e
}
high severity medium confidence

Google Chronicle YARA-L 2.0 rule for T1620 detection using UDM event types and field matching. Detects reflective code loading in scripting hosts and common LOLBins by searching for .NET Assembly

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
  • Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
  • PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)
Download portable Sigma rule (.yml)

Other platforms for T1620

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Assembly.Load from Base64-encoded .NET Assembly

    Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'Assembly.Load' and 'FromBase64String'. Sysmon Event ID 7 (ImageLoad) showing clr.dll and mscorlib.dll loaded into powershell.exe. PowerShell ScriptBlock log Event ID 4104 with full decoded script content.

  2. Test 2Invoke-ReflectivePEInjection Simulation via PowerSploit

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Invoke-ReflectivePEInjection'. PowerShell ScriptBlock Event ID 4104 with decoded function definition. Possible Sysmon Event ID 8 (CreateRemoteThread) if PE injection spawns threads.

  3. Test 3Shellcode Reflective Execution via Add-Type PInvoke (Windows)

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Add-Type' and 'VirtualAlloc', 'CreateThread', 'DllImport', 'kernel32'. PowerShell ScriptBlock Event ID 4104 with full C# source including PInvoke signatures. Sysmon Event ID 7 showing clr.dll and clrjit.dll loaded into powershell.exe.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1620 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1055Process InjectionT1059.001PowerShellT1027.009Embedded PayloadsT1027.011Fileless StorageT1218.011Rundll32T1129Shared Modules

Same Tactic: Defense Evasion

Popular Detections