Reflective Loading from Masqueraded File - PowerShell

Rule Info

Name
Reflective Loading from Masqueraded File - PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a PowerShell scriptblock pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
Reference
https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and
Date
2026-02-02 00:00:00
Modified
None
Id
47052029-6cbb-4500-8e7d-f66f5bbc7a12
Tags
attack.defense-evasion attack.execution attack.t1620 attack.t1036.008 attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022