PS ExecutionContext Reflection Abuse

Rule Info

Name
PS ExecutionContext Reflection Abuse
Author
X__Junior
Description
Detects attempts to abuse PowerShell `$ExecutionContext` and variable drives to access the runtime environment via reflection methods (`Get-ChildItem`, `Get-Item`, `.Name-*like`). Such techniques are commonly used in obfuscated payloads to dynamically resolve and execute commands while evading detection. This behavior is associated with defense evasion tactics and fileless malware execution.
Reference
https://x.com/AzakaSekai_/status/1889913936981672376
Date
2025-02-14 00:00:00
Modified
None
Id
a8e3ed21-549b-4b27-aefe-08cfac53897d
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022