Detect Reflective Code Loading in Microsoft Sentinel
This detection identifies adversaries loading and executing code directly within process memory to evade disk-based detection controls. Reflective code loading encompasses techniques such as .NET assembly loading via PowerShell's Assembly.Load() method, position-independent shellcode injected into self-owned process memory via VirtualAlloc/CreateThread, ELF or PE loading from anonymous memory regions, and fileless .NET CLR hosting. Because no file is written to disk, traditional file-based AV and EDR telemetry is bypassed; detections must focus on command-line indicators, suspicious memory allocation API call patterns, unusual .NET CLR loading within scripting hosts, and anomalous process behaviors such as spawning threads from heap memory regions.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1620 Reflective Code Loading
- Canonical reference
- https://attack.mitre.org/techniques/T1620/
KQL Detection Query
let ReflectiveLoadKeywords = dynamic([
"Assembly.Load",
"[System.Reflection.Assembly]",
"Reflection.Assembly::Load",
"Invoke-ReflectivePEInjection",
"Invoke-Shellcode",
"ReflectivePELoader",
"LoadLibraryR",
"NtAllocateVirtualMemory",
"VirtualAllocEx",
"::UnsafeLoadFrom",
"AssemblyLoad"
]);
let Base64AssemblyPatterns = dynamic([
"FromBase64String",
"Convert]::FromBase64",
"[Convert]::From"
]);
let SuspiciousHosts = dynamic([
"powershell.exe", "pwsh.exe", "cscript.exe",
"wscript.exe", "mshta.exe", "rundll32.exe",
"regsvr32.exe", "msiexec.exe"
]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (SuspiciousHosts)
or InitiatingProcessFileName in~ (SuspiciousHosts)
| where ProcessCommandLine has_any (ReflectiveLoadKeywords)
or ProcessCommandLine has_any (Base64AssemblyPatterns)
or InitiatingProcessCommandLine has_any (ReflectiveLoadKeywords)
| extend CmdLineLen = strlen(ProcessCommandLine)
| extend EncodedPayloadLikely = iff(
ProcessCommandLine matches regex @"[A-Za-z0-9+/]{200,}={0,2}",
true, false)
| extend Severity = case(
ProcessCommandLine has "Invoke-ReflectivePEInjection", "Critical",
ProcessCommandLine has "Invoke-Shellcode", "Critical",
ProcessCommandLine has "Assembly.Load" and EncodedPayloadLikely == true, "High",
ProcessCommandLine has "Assembly.Load", "Medium",
"Medium")
| project
TimeGenerated,
DeviceName,
AccountName,
AccountDomain,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
CmdLineLen,
EncodedPayloadLikely,
Severity,
SHA256,
ProcessId,
InitiatingProcessId
| order by TimeGenerated descDetects reflective code loading in scripting hosts and common LOLBins by searching for .NET Assembly.Load() calls, reflective PE injection tooling keywords, and large base64-encoded blobs combined with assembly loading. Flags known offensive tooling names (Invoke-ReflectivePEInjection, Invoke-Shellcode) as Critical, and heuristic patterns (Assembly.Load + encoded payload) as High.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
- Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
- PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)
Other platforms for T1620
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Assembly.Load from Base64-encoded .NET Assembly
Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'Assembly.Load' and 'FromBase64String'. Sysmon Event ID 7 (ImageLoad) showing clr.dll and mscorlib.dll loaded into powershell.exe. PowerShell ScriptBlock log Event ID 4104 with full decoded script content.
- Test 2Invoke-ReflectivePEInjection Simulation via PowerSploit
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Invoke-ReflectivePEInjection'. PowerShell ScriptBlock Event ID 4104 with decoded function definition. Possible Sysmon Event ID 8 (CreateRemoteThread) if PE injection spawns threads.
- Test 3Shellcode Reflective Execution via Add-Type PInvoke (Windows)
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Add-Type' and 'VirtualAlloc', 'CreateThread', 'DllImport', 'kernel32'. PowerShell ScriptBlock Event ID 4104 with full C# source including PInvoke signatures. Sysmon Event ID 7 showing clr.dll and clrjit.dll loaded into powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1620/
- https://github.com/TheWover/donut
- https://www.elastic.co/security-labs/reflective-dll-injection
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load
- https://www.mandiant.com/resources/bring-your-own-land
- https://www.intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/
Unlock Pro Content
Get the full detection package for T1620 including response playbook, investigation guide, and atomic red team tests.