ExecutionContext Reflection Abuse

Rule Info

Name
ExecutionContext Reflection Abuse
Author
X__Junior
Description
Detects attempts to abuse PowerShell `$ExecutionContext` and variable drives to access the runtime environment via reflection methods (`Get-ChildItem`, `Get-Item`, `.Name-*like`). Such techniques are commonly used in obfuscated payloads to dynamically resolve and execute commands while evading detection. This behavior is associated with defense evasion tactics and fileless malware execution.
Reference
https://x.com/AzakaSekai_/status/1889913936981672376
Date
2025-02-14 00:00:00
Modified
None
Id
9c45fe68-fa2a-4251-9d86-2b1c17b9f9bd
Tags
attack.defense-evasion attack.t1070.004 attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022