T1620

Reflective Code Loading

Defense Evasion Last updated:

This detection identifies adversaries loading and executing code directly within process memory to evade disk-based detection controls. Reflective code loading encompasses techniques such as .NET assembly loading via PowerShell's Assembly.Load() method, position-independent shellcode injected into self-owned process memory via VirtualAlloc/CreateThread, ELF or PE loading from anonymous memory regions, and fileless .NET CLR hosting. Because no file is written to disk, traditional file-based AV and EDR telemetry is bypassed; detections must focus on command-line indicators, suspicious memory allocation API call patterns, unusual .NET CLR loading within scripting hosts, and anomalous process behaviors such as spawning threads from heap memory regions.

What is T1620 Reflective Code Loading?

Reflective Code Loading (T1620) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Reflective Code Loading, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1620 Reflective Code Loading
Canonical reference
https://attack.mitre.org/techniques/T1620/
Microsoft Sentinel / Defender
kusto 
let ReflectiveLoadKeywords = dynamic([
    "Assembly.Load",
    "[System.Reflection.Assembly]",
    "Reflection.Assembly::Load",
    "Invoke-ReflectivePEInjection",
    "Invoke-Shellcode",
    "ReflectivePELoader",
    "LoadLibraryR",
    "NtAllocateVirtualMemory",
    "VirtualAllocEx",
    "::UnsafeLoadFrom",
    "AssemblyLoad"
]);
let Base64AssemblyPatterns = dynamic([
    "FromBase64String",
    "Convert]::FromBase64",
    "[Convert]::From"
]);
let SuspiciousHosts = dynamic([
    "powershell.exe", "pwsh.exe", "cscript.exe",
    "wscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe"
]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (SuspiciousHosts)
    or InitiatingProcessFileName in~ (SuspiciousHosts)
| where ProcessCommandLine has_any (ReflectiveLoadKeywords)
    or ProcessCommandLine has_any (Base64AssemblyPatterns)
    or InitiatingProcessCommandLine has_any (ReflectiveLoadKeywords)
| extend CmdLineLen = strlen(ProcessCommandLine)
| extend EncodedPayloadLikely = iff(
    ProcessCommandLine matches regex @"[A-Za-z0-9+/]{200,}={0,2}",
    true, false)
| extend Severity = case(
    ProcessCommandLine has "Invoke-ReflectivePEInjection", "Critical",
    ProcessCommandLine has "Invoke-Shellcode", "Critical",
    ProcessCommandLine has "Assembly.Load" and EncodedPayloadLikely == true, "High",
    ProcessCommandLine has "Assembly.Load", "Medium",
    "Medium")
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    CmdLineLen,
    EncodedPayloadLikely,
    Severity,
    SHA256,
    ProcessId,
    InitiatingProcessId
| order by TimeGenerated desc

Detects reflective code loading in scripting hosts and common LOLBins by searching for .NET Assembly.Load() calls, reflective PE injection tooling keywords, and large base64-encoded blobs combined with assembly loading. Flags known offensive tooling names (Invoke-ReflectivePEInjection, Invoke-Shellcode) as Critical, and heuristic patterns (Assembly.Load + encoded payload) as High.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate .NET applications and developer tooling that use Assembly.Load() or Reflection.Assembly for plugin systems (e.g., Visual Studio extensions, Roslyn compilers)
  • Security tooling and EDR agents that use reflective loading for their own module injection (e.g., CrowdStrike Falcon sensor, Carbon Black)
  • PowerShell modules that use Add-Type or Assembly.Load to compile and load inline C# at runtime for legitimate administrative tasks (e.g., ActiveDirectory management scripts)

Sigma rule & cross-platform mapping

The detection logic for Reflective Code Loading (T1620) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1620 Sigma rules on detection.fyi

Platform-specific guides for T1620

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (6)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Assembly.Load from Base64-encoded .NET Assembly

    Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'Assembly.Load' and 'FromBase64String'. Sysmon Event ID 7 (ImageLoad) showing clr.dll and mscorlib.dll loaded into powershell.exe. PowerShell ScriptBlock log Event ID 4104 with full decoded script content.

  2. Test 2Invoke-ReflectivePEInjection Simulation via PowerSploit

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Invoke-ReflectivePEInjection'. PowerShell ScriptBlock Event ID 4104 with decoded function definition. Possible Sysmon Event ID 8 (CreateRemoteThread) if PE injection spawns threads.

  3. Test 3Shellcode Reflective Execution via Add-Type PInvoke (Windows)

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Add-Type' and 'VirtualAlloc', 'CreateThread', 'DllImport', 'kernel32'. PowerShell ScriptBlock Event ID 4104 with full C# source including PInvoke signatures. Sysmon Event ID 7 showing clr.dll and clrjit.dll loaded into powershell.exe.

Unlock Pro Content

Get the full detection package for T1620 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0005Defense Evasion

Related Techniques

T1055Process InjectionT1059.001PowerShellT1027.009Embedded PayloadsT1027.011Fileless StorageT1218.011Rundll32T1129Shared Modules

Same Tactic: Defense Evasion

Popular Detections