{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/psreflect/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["powershell","psreflect","windows","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts that utilize PSReflect techniques to dynamically invoke Win32 APIs. PSReflect allows PowerShell scripts to interact with native Windows APIs, potentially enabling malicious activities such as memory manipulation, privilege escalation, and bypassing security controls. The rule focuses on detecting specific keywords and patterns within PowerShell script block content, including \u0026ldquo;New-InMemoryModule\u0026rdquo;, \u0026ldquo;Add-Win32Type\u0026rdquo;, \u0026ldquo;DllImportAttribute\u0026rdquo;, and others indicative of PSReflect usage. The rule aims to catch scripts that might be used for malicious purposes by leveraging the power of native API calls within the PowerShell environment. It\u0026rsquo;s important for defenders as it helps identify potentially harmful scripts that may be attempting to perform unauthorized actions on a Windows system. The rule was last updated in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either file-based or fileless, on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code that utilizes PSReflect techniques to dynamically load and call Win32 APIs.\u003c/li\u003e\n\u003cli\u003eThe script uses functions like \u003ccode\u003eAdd-Win32Type\u003c/code\u003e or \u003ccode\u003eNew-InMemoryModule\u003c/code\u003e to create in-memory modules and import necessary Win32 API functions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003eDllImportAttribute\u003c/code\u003e to define the imported API functions and their corresponding DLLs.\u003c/li\u003e\n\u003cli\u003eThe script then calls the imported Win32 APIs to perform malicious actions, such as memory manipulation, process injection, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe malicious actions may include injecting code into other processes, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of the system, stealing sensitive data, or causing damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via PSReflect can lead to a wide range of malicious activities, including privilege escalation, code injection, and system compromise. An attacker could potentially gain complete control over the affected system, steal sensitive information, or use the system as a launchpad for further attacks. The impact can be severe, especially if the compromised system is a critical server or workstation within the organization. The rule helps to identify potential threats before they can cause significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events for detection, as detailed in the setup instructions referenced in the original rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect suspicious PowerShell scripts utilizing PSReflect techniques. Tune the rules for your specific environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules by reconstructing the full script block using \u003ccode\u003epowershell.file.script_block_id\u003c/code\u003e, \u003ccode\u003epowershell.sequence\u003c/code\u003e, and \u003ccode\u003epowershell.total\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eReview the process execution telemetry (\u003ccode\u003ehost.id + process.pid\u003c/code\u003e) to understand how PowerShell was launched and identify any suspicious parent processes.\u003c/li\u003e\n\u003cli\u003eConsider implementing restrictions on PowerShell interop and unsigned script execution to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:00:00Z","date_published":"2024-01-02T18:00:00Z","id":"/briefs/2024-01-powershell-psreflect/","summary":"This rule detects PowerShell script block content containing PSReflect-style helper indicators, such as Add-Win32Type, New-InMemoryModule, or DllImport patterns, that may support dynamic Win32 API invocation from PowerShell.","title":"PowerShell PSReflect Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-psreflect/"}],"language":"en","title":"CraftedSignal Threat Feed — Psreflect","version":"https://jsonfeed.org/version/1.1"}