Reflective Code Loading (T1620)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Reflective Code Loading

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. 00sec Droppers
Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021. S1 Custom Shellcode Tool
Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021. Mandiant BYOL
Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. S1 Old Rat New Tricks
MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. MDSec Detecting DOTNET
Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024. Microsoft AssemblyLoad
Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021. Intezer ACBackdoor
Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021. Stuart ELF Memory
The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. Introducing Donut