EXPLORE
Sign In
← Back to Explore
T1620

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position...

LinuxmacOSWindows
14
Detections
4
Sources
4
Threat Actors

BY SOURCE

8elastic2crowdstrike_cql2sigma2splunk_escu

PROCEDURES (9)

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Reflection1 detections

Auto-extracted: 1 detections for reflection

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (4)

FIN7Gamaredon GroupKimsukyLazarus Group

DETECTIONS (14)

CVE-2025-53770 - SharePoint ToolShell
crowdstrike_cql
CVE-2025-53770 - SharePoint ToolShell
crowdstrike_cql
Memory Threat - Detected - Elastic Defend
elastichigh
Memory Threat - Prevented- Elastic Defend
elastichigh
Network Connection from Binary with RWX Memory Region
elasticmedium
Potential In-Memory Execution Using Reflection.Assembly
sigmamedium
PowerShell Base64 Encoded Reflective Assembly Load
sigmahigh
PowerShell PInvoke Process Injection API Chain
splunk_escu
Process Started with Executable Stack
elasticlow
Suspicious .NET Reflection via PowerShell
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Process Execution Detected via Defend for Containers
elastichigh
Unknown Execution of Binary with RWX Memory Region
elasticmedium
Windows MMC Loaded Script Engine DLL
splunk_escu