Reflective Loading from Masqueraded File

Rule Info

Name
Reflective Loading from Masqueraded File
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a PowerShell command pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
Reference
https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and
Date
2026-02-02 00:00:00
Modified
None
Id
01bb6561-67b7-413c-a6d0-26259a831930
Tags
attack.defense-evasion attack.execution attack.t1620 attack.t1036.008 attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022