EXPLORE
Sign In
← Back to Explore
T1620

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position...

LinuxmacOSWindows
12
Detections
4
Sources
4
Threat Actors

BY SOURCE

8elastic2sigma1crowdstrike_cql1splunk_escu

PROCEDURES (9)

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Reflection1 detections

Auto-extracted: 1 detections for reflection

THREAT ACTORS (4)

FIN7Gamaredon GroupKimsukyLazarus Group

DETECTIONS (12)

CVE-2025-53770 - SharePoint ToolShell
crowdstrike_cql
Memory Threat - Detected - Elastic Defend
elastichigh
Memory Threat - Prevented- Elastic Defend
elastichigh
Network Connection from Binary with RWX Memory Region
elasticmedium
Potential In-Memory Execution Using Reflection.Assembly
sigmamedium
PowerShell Base64 Encoded Reflective Assembly Load
sigmahigh
Process Started with Executable Stack
elasticlow
Suspicious .NET Reflection via PowerShell
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Process Execution Detected via Defend for Containers
elastichigh
Unknown Execution of Binary with RWX Memory Region
elasticmedium
Windows MMC Loaded Script Engine DLL
splunk_escu