System.Reflection.Assembly.Loadmethod will be used to load the byte array directly in memory without accessing the file system. PowerShell Protect will now detect the use of this method and block the script.
Set-MpPreferencecmdlet can be used to disable Windows Defender by using the
DisableRealtimeMonitoringparameter. Although you will need administrative permissions to perform this action, you will be able to see if users are attempting to execute this command and further investigate the behavior.
Invoke-Expressionis used to execute arbitrary strings as PowerShell script. While it can be used for legitimate purposes, it is often used to download and execute malicious payloads such as this recently discovered exploit.
System.Reflection.Emitnamespace. Rather than invoking the C# compiler, like with
Add-Type, you won’t see any file system activity when this type of attack is taking place. PowerShell Protect will now watch for these types of method calls, audit and block them.
Invoke-ReflectivePEInjectioncommand for loading binaries into memory without file system access.
Invoke-ReflectivePEInjectionas-is on a default Windows environment because Defender is checking for these commands. PowerShell Protect now checks for all functions defined in PowerSploit to ensure that no one is poking around your environment with any of the tools.
System.RuntimeServices.Interop.Marshalclass may be an indication that someone is attempting to manipulate memory within the PowerShell process. This class provides methods for allocating unmanaged memory segments, copying bytes around and determining memory sizes, among other things.
Marshalclass is rare in the C# and the .NET world and should be even more rare in the PowerShell world. Although it may not be an actual attack, it’s a strange thing to be doing for most sysadmins.