{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memory-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","reflection","dotnet","memory-injection","attack.execution","attack.t1059.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the use of PowerShell to load .NET assemblies into memory using reflection, a technique frequently observed in advanced attacks. Threat actors, including those employing frameworks like Empire and Cobalt Strike, utilize this method to execute code directly in memory, evading traditional file-based security controls. The detection strategy focuses on PowerShell Script Block Logging (EventCode=4104), which captures the full commands executed, enabling analysis for specific reflection-related keywords. This behavior is a strong indicator of potential malicious activity, as it allows for unauthorized code execution, privilege escalation, and persistent access. Defenders should prioritize detection and response to such events to mitigate the risk of compromise. The technique allows attackers to bypass traditional defenses, execute code in memory, and potentially establish persistence within the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, often obfuscated or encoded, to avoid detection.\u003c/li\u003e\n\u003cli\u003eReflection Assembly Loading: The PowerShell script uses reflection techniques, such as \u003ccode\u003e[System.Reflection.Assembly]::Load()\u003c/code\u003e, to load a .NET assembly directly into memory.\u003c/li\u003e\n\u003cli\u003eBypassing Security Controls: The in-memory execution bypasses traditional security controls that scan files on disk.\u003c/li\u003e\n\u003cli\u003eMalicious Code Execution: The loaded assembly contains malicious code, which could be a payload for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The malicious code may attempt to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised system as a springboard to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the environment. By loading .NET assemblies directly into memory, attackers can bypass traditional file-based security controls, making detection more challenging. This technique is often employed in advanced attacks, potentially affecting numerous systems across the network, leading to significant data breaches and system compromise. While specific victim counts are not available, the impact is considered high due to the potential for widespread damage and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode=4104) on all endpoints to capture the full commands executed, as referenced in the description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts loading .NET assemblies into memory via reflection.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any alerts generated by the Sigma rules, prioritizing systems with high-value data or critical functions.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell logs for suspicious activity, such as the use of reflection techniques to load assemblies from unusual locations.\u003c/li\u003e\n\u003cli\u003eConsult the references provided, specifically the Microsoft .NET API documentation and the Palantir article on event tracing, to deepen your understanding of the attack techniques and potential mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-powershell-reflection-load/","summary":"This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.","title":"PowerShell Loading .NET Assemblies via Reflection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Memory-Injection","version":"https://jsonfeed.org/version/1.1"}