Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call | Standard | Windows | Defense Evasion: Obfuscated Files or Information (T1027), Execution: Command and Scripting Interpreter - PowerShell (T1059.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
This rule looks for suspicious Base64-encoded and obfuscated LOAD keywords embedded in .NET reflection.assembly calls. Attackers use this technique to perform in-memory execution of malicious .NET payloads without writing files to disk. By leveraging obfuscation and encoded commands, they can evade traditional signature-based security tools and execute code stealthily in RAM.
Severity
Trouble
Rule journey
Attack chain scenario
Compromised web server → Weaponized .NET loader uploaded → Encoded PowerShell runs loader in memory → Obfuscated reflection LOAD used → Payload executes fully in RAM
Impact
- Memory-resident malware execution
- Full system compromise
- Data breach
Rule Requirement
Prerequisites
Process Creation Auditing
Via Windows Event Viewer (GPO)
- Open GPMC (gpmc.msc) using a domain admin account.
- Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking - Enable:
- Audit Process Creation
- Audit Process Termination
(Check “Success” box for both)
- For command-line logging:
Go to:
Computer Configuration > Administrative Templates > System > Audit Process Creation
→ Enable “Include command line in process creation events.” - Create registry key (if missing):
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing/Operational
Using Sysmon
To set up process creation monitoring with Sysmon:
1.Download and install Sysmon from Microsoft Sysinternals.
2. Open a Command Prompt with administrator privileges.
3. Create or download a Sysmon configuration file that includes process creation monitoring. A basic example for capturing all process creations is:
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
</EventFiltering>
</Sysmon>
4. Install Sysmon with your configuration file using the command:
sysmon.exe -i [configfile.xml] (Replace [configfile.xml] with your file's path and name).
5. Ensure a new registry key named "Microsoft-Windows-Sysmon/Operational" exists in the directory Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\. If not, create it.
Criteria
Action1: actionname = "Process started" AND COMMANDLINE contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ,oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA,6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA,OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ,oAOgAoACIATABvACIAKwAiAGEAZAAiACkA,6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA,OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ,oAOgAoACIATABvAGEAIgArACIAZAAiACkA,6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA,OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ,oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA,6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA,OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ,oAOgAoACcATABvACcAKwAnAGEAZAAnACkA,6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA,OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ,oAOgAoACcATABvAGEAJwArACcAZAAnACkA,6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Obfuscated Files or Information (T1027), Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
NIST CSF DE.CM-1: Network and physical activities are monitored to detect anomalous events.
When this rule is triggered, you're notified of Base64-encoded and obfuscated LOAD keywords within PowerShell command lines, which are strong indicators of reflective .NET assembly loading. This enables you to restrict execution policies and allow only signed scripts.
Author
pH-T (Nextron Systems)
Future actions
Known False Positives
Internal red team exercises using encoded reflection assembly loads may also trigger this rule.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Enable PowerShell Script Block Logging to capture all executed code blocks.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1049 | Implement antivirus or antimalware scanning to isolate suspicious files. | |
M1045 | Configure policies that allow PowerShell to execute only signed scripts. | |
M1042 | Restrict or disable PowerShell on systems where it is not required. | |
M1038 | Restrict the execution of scripts that contain sensitive language elements i.e., malicious codes using the PowerShell Constrained Language mode. | |
M1026 | Restrict privileges to execute PowerShell scripts to administrators and enforce limitations on the commands that can be executed via remote PowerShell sessions. | |
M1047 | Enable detailed logging for process creation and command-line activity to capture crucial forensic data. | |
M1040 | On Windows 10 and newer, enable Attack Surface Reduction (ASR) rules to prevent potentially harmful scripts (like Visual Basic or JavaScript) from running if they originate from the internet or email. | |
M1017 | Train users to close all browser sessions upon completion to prevent any potentially malicious extensions from continuing to operate in the background. |
