T1620 Splunk · SPL

Detect Reflective Code Loading in Splunk

This detection identifies adversaries loading and executing code directly within process memory to evade disk-based detection controls. Reflective code loading encompasses techniques such as .NET assembly loading via PowerShell's Assembly.Load() method, position-independent shellcode injected into self-owned process memory via VirtualAlloc/CreateThread, ELF or PE loading from anonymous memory regions, and fileless .NET CLR hosting. Because no file is written to disk, traditional file-based AV and EDR telemetry is bypassed; detections must focus on command-line indicators, suspicious memory allocation API call patterns, unusual .NET CLR loading within scripting hosts, and anomalous process behaviors such as spawning threads from heap memory regions.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1620 Reflective Code Loading
Canonical reference
https://attack.mitre.org/techniques/T1620/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine), parent=lower(ParentImage), proc=lower(Image)
| where match(cmdline, "assembly\.load|\[system\.reflection\.assembly\]|reflection\.assembly::load")
    OR match(cmdline, "invoke-reflectivepeinjection|invoke-shellcode|reflectivepeloader|loadlibraryr")
    OR match(cmdline, "ntallocatevirtualmemory|virtualallocex")
    OR (match(cmdline, "frombase64string") AND match(cmdline, "assembly|load|clr"))
| where match(proc, "powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe")
    OR match(parent, "powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe")
| eval CmdLineLength=len(CommandLine)
| eval EncodedPayload=if(match(CommandLine, "[A-Za-z0-9+/]{200,}={0,2}"), "true", "false")
| eval RiskScore=case(
    match(cmdline, "invoke-reflectivepeinjection|invoke-shellcode"), 100,
    match(cmdline, "assembly\.load") AND EncodedPayload=="true", 80,
    match(cmdline, "assembly\.load"), 60,
    match(cmdline, "frombase64string") AND match(cmdline, "assembly"), 65,
    true(), 50)
| eval Severity=case(RiskScore>=90, "Critical", RiskScore>=70, "High", RiskScore>=50, "Medium", true(), "Low")
| table _time, ComputerName, User, Image, CommandLine, ParentImage, ParentCommandLine, CmdLineLength, EncodedPayload, RiskScore, Severity, Hashes
| sort - RiskScore, _time
high severity medium confidence

Detects reflective code loading via Sysmon process creation events (Event ID 1), targeting scripting hosts and LOLBins executing commands containing .NET Assembly.Load patterns, known reflective injection tool names, and base64-encoded payloads combined with assembly loading keywords. Risk scoring prioritizes known tooling names over heuristic patterns.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Development environments running PowerShell build scripts that compile and load C# assemblies inline using Add-Type or Assembly.Load
  • Endpoint security products (EDR/AV) that perform reflective module injection as part of their normal operation
  • Enterprise automation frameworks (Ansible, Chef, Puppet) that dynamically load .NET assemblies to execute management tasks
Download portable Sigma rule (.yml)

Other platforms for T1620

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Assembly.Load from Base64-encoded .NET Assembly

    Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'Assembly.Load' and 'FromBase64String'. Sysmon Event ID 7 (ImageLoad) showing clr.dll and mscorlib.dll loaded into powershell.exe. PowerShell ScriptBlock log Event ID 4104 with full decoded script content.

  2. Test 2Invoke-ReflectivePEInjection Simulation via PowerSploit

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Invoke-ReflectivePEInjection'. PowerShell ScriptBlock Event ID 4104 with decoded function definition. Possible Sysmon Event ID 8 (CreateRemoteThread) if PE injection spawns threads.

  3. Test 3Shellcode Reflective Execution via Add-Type PInvoke (Windows)

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Add-Type' and 'VirtualAlloc', 'CreateThread', 'DllImport', 'kernel32'. PowerShell ScriptBlock Event ID 4104 with full C# source including PInvoke signatures. Sysmon Event ID 7 showing clr.dll and clrjit.dll loaded into powershell.exe.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1620 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1055Process InjectionT1059.001PowerShellT1027.009Embedded PayloadsT1027.011Fileless StorageT1218.011Rundll32T1129Shared Modules

Same Tactic: Defense Evasion

Popular Detections