T1620 IBM QRadar · QRadar

Detect Reflective Code Loading in IBM QRadar

This detection identifies adversaries loading and executing code directly within process memory to evade disk-based detection controls. Reflective code loading encompasses techniques such as .NET assembly loading via PowerShell's Assembly.Load() method, position-independent shellcode injected into self-owned process memory via VirtualAlloc/CreateThread, ELF or PE loading from anonymous memory regions, and fileless .NET CLR hosting. Because no file is written to disk, traditional file-based AV and EDR telemetry is bypassed; detections must focus on command-line indicators, suspicious memory allocation API call patterns, unusual .NET CLR loading within scripting hosts, and anomalous process behaviors such as spawning threads from heap memory regions.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1620 Reflective Code Loading
Canonical reference
https://attack.mitre.org/techniques/T1620/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%Assembly.Load%' AND "CommandLine" ILIKE '%[Convert]::FromBase64%' THEN 90 WHEN "CommandLine" ILIKE '%Reflection.Assembly%' OR "CommandLine" ILIKE '%loadfrom%' THEN 80 WHEN "CommandLine" ILIKE '%EncodedCommand%' AND LEN("CommandLine") > 500 THEN 75 ELSE 55 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%Assembly.Load%' OR "CommandLine" ILIKE '%Reflection.Assembly%' OR "CommandLine" ILIKE '%loadfrom%' OR ("CommandLine" ILIKE '%EncodedCommand%' AND "CommandLine" ILIKE '%noprofile%')) ORDER BY "RiskScore" DESC LAST 24 HOURS
high severity medium confidence

IBM QRadar AQL translation of the T1620 detection. Uses SQL-like syntax with risk scoring. Detects reflective code loading in scripting hosts and common LOLBins by searching for .NET Assembly

Data Sources

Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
  • Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
  • PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)
Download portable Sigma rule (.yml)

Other platforms for T1620

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Assembly.Load from Base64-encoded .NET Assembly

    Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'Assembly.Load' and 'FromBase64String'. Sysmon Event ID 7 (ImageLoad) showing clr.dll and mscorlib.dll loaded into powershell.exe. PowerShell ScriptBlock log Event ID 4104 with full decoded script content.

  2. Test 2Invoke-ReflectivePEInjection Simulation via PowerSploit

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Invoke-ReflectivePEInjection'. PowerShell ScriptBlock Event ID 4104 with decoded function definition. Possible Sysmon Event ID 8 (CreateRemoteThread) if PE injection spawns threads.

  3. Test 3Shellcode Reflective Execution via Add-Type PInvoke (Windows)

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Add-Type' and 'VirtualAlloc', 'CreateThread', 'DllImport', 'kernel32'. PowerShell ScriptBlock Event ID 4104 with full C# source including PInvoke signatures. Sysmon Event ID 7 showing clr.dll and clrjit.dll loaded into powershell.exe.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1620 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1055Process InjectionT1059.001PowerShellT1027.009Embedded PayloadsT1027.011Fileless StorageT1218.011Rundll32T1129Shared Modules

Same Tactic: Defense Evasion

Popular Detections