// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE PUB-ENTDTG 0600Z
ColdReconTechniquesT1620
Technique T1620

Reflective Code Loading

CLEARED FOR PUBLIC RELEASE · OPEN-SOURCE INTELLIGENCE
Reflective Code Loading (T1620) — a Defense Evasion technique, observed in public incident reporting.
MITRE ATT&CKT1620
TacticDefense Evasion
Incidents on file5

Detection & mitigation

Monitor for suspicious process memory operations such as VirtualAlloc with PAGE_EXECUTE_READWRITE permissions followed by thread creation, or use of NtCreateThreadEx from non-standard modules. Deploy endpoint detection and response (EDR) with memory scanning capabilities and enable Windows Defender's behavior monitoring and cloud-delivered protection to detect in-memory threats.

Track this in real time.

ColdRecon watches the public signal so you don't have to — a daily brief and a live detection-coverage desk. Request clearance.

Request Clearance →