legitimate psreflect use when reconstructed content, imported api set, script origin, launcher, user/host scope, and same-host effects align with an approved workflow

t1059
t1106
windows
elastic

Techniques

T1059
T1106

Sample rules

PowerShell PSReflect Script

source: elastic
technicques:
- T1059
- T1106

Description

Detects PowerShell script block content containing PSReflect-style helper indicators, such as Add-Win32Type, New-InMemoryModule, or DllImport patterns, that may support dynamic Win32 API invocation from PowerShell.

Detection logic

event.category:process and host.os.type:windows and
  powershell.file.script_block_text:(
    "New-InMemoryModule" or
    "Add-Win32Type" or
    psenum or
    DefineDynamicAssembly or
    DefineDynamicModule or
    "Reflection.TypeAttributes" or
    "Reflection.Emit.OpCodes" or
    "Reflection.Emit.CustomAttributeBuilder" or
    "Runtime.InteropServices.DllImportAttribute"
  ) and
  not user.id : "S-1-5-18"