Home/ MITRE Matrix/ Defense Evasion/ T1620

T1620Reflective Code Loading

T1620 — Reflective Code Loading is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 6 detection use cases covering it and 6 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

6Use cases

6Articles

0Sub-techniques

1Tactic

Use cases covering this technique (6)

PowerShell PInvoke Process Injection API Chain ESCU actions · alerting P Windows MMC Loaded Script Engine DLL ESCU actions · hunting P [LLM] Startup LNK spawns cmd.exe → PowerShell in-memory DLL loader (GIFTEDCROOK chain) Bespoke install · alerting DSPDDCS [LLM] Bun spawned from npm install context executing /tmp/p*.js implant Bespoke install · alerting DSΣPDDCS [LLM] Orphaned process (ppid=1) executing from /tmp hidden hex path (post-dropper stage-2) Bespoke actions · alerting DSΣPDDCS [LLM] MuddyWater Fooder loader (OsUpdater.exe) execution from Downloads Bespoke install · alerting DSΣPDDCS

Articles citing this technique (6)

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

high Multiple redhat-cloud-services npm Packages compromised art-144

high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

med MuddyWater: Snakes by the riverbank art-676

crit Gotta fly: Lazarus targets the UAV sector art-734