Tag
high
advisory
AMSI Bypass via PowerShell Reflection
2 rules 1 TTPDetection of AMSI (Antimalware Scan Interface) tampering via PowerShell reflection, utilizing PowerShell Script Block Logging (EventCode=4104) to identify commands manipulating `system.management.automation.amsi`, potentially leading to undetected malicious code execution and system compromise.
Splunk Enterprise +2
amsi-bypass
powershell
reflection
defense-evasion
2r
1t
high
advisory
PowerShell Loading .NET Assemblies via Reflection
2 rules 1 TTPThis analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.
PowerShell
reflection
dotnet
memory-injection
attack.execution
attack.t1059.001
2r
1t