This note documents detection patterns related to Reflective Loading within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 7 | Image loaded | Critical | DLL-like module loaded from unusual path or memory-backed context. |
| Sysmon | 10 | Process access | Critical | Handle access before memory injection / manual mapping. |
| Sysmon | 8 | CreateRemoteThread | Critical | Often follows reflective load into remote process. |
| Security | 4688 | Process creation | Critical | Loader process execution. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for loader chain. |
| Sysmon | 11 | File create | Medium | Loader dropped before in-memory load. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| DLL loaded without normal LoadLibrary chain | Manual mapping clue | Critical | Strong reflective signal. |
| RWX memory followed by thread creation | Injection chain | Critical | High-confidence sequence. |
| Unsigned DLL in trusted process | Strong anomaly | Critical | Valuable clue. |
| Loader exits quickly | Stager behavior | High | Common operator pattern. |
| No disk-backed module path | Memory-only load | Critical | Reflective hallmark. |
| Image loaded into explorer/lsass/svchost | High-value target | Critical | Strong malicious signal. |
Common Tools
| Tool | Usage |
|---|---|
| Cobalt Strike | Reflective DLL injection |
| Metasploit | Reflective loaders |
| custom loaders | Manual map payloads |
| PowerShell loaders | In-memory DLL loading |
Relevant Artifacts
- Sysmon Event IDs 7, 8, 10, 1, 11
- Security Event ID 4688
- Loaded module metadata
- Process memory regions
- EDR memory map
- Prefetch for loader
MITRE ATT&CK References
- T1620 Reflective Code Loading
Decision Tree
-
Which process loaded payload?
- loader
- shell
- implant
-
Which target process?
- explorer
- svchost
- lsass
-
Memory-only signs?
- No file path
- RWX region
-
Thread created?
- Yes
- No
-
Expand:
- APC
- Process injection
- Network beacon
-
Scope:
- Single load
- Repeated injection
- Framework behavior
Example Detection Templates
KQL
Sysmon
| where EventID in (7,8,10)
| project TimeGenerated, Computer, Image, ImageLoaded, TargetImage
EQL
sequence by host.name with maxspan=5m
[ process where true ]
[ library where true ]
[ process where event.code == "8" ]
Sigma
title: Reflective Loading Detection
id: 8e2c4d11-reflective-loading
status: experimental
description: Detects suspicious reflective DLL loading indicators
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 7
- 8
- 10
condition: selection
fields:
- Image
- TargetImage
falsepositives:
- Security tools
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Monitor Sysmon 7/8/10 | Core injection visibility | Critical | Strong coverage |
| EDR memory analysis | Detect manual map | Critical | Best signal |
| Alert on unsigned module in trusted process | High-value anomaly | High | Strong enrichment |
| Correlate thread + memory writes | High-confidence chain | Critical | Strong triage |
| Preserve loader lineage | Essential | High | DFIR critical |