Detect anomalous chains of memory allocation and execution inside the same process (e.g., VirtualAlloc → memcpy → VirtualProtect → CreateThread). Unlike process injection, reflective code loading does not perform cross-process memory writes — the suspicious activity occurs entirely within the process’s own PID context.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-DotNETRuntime | AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime |
| Script Execution (DC0029) | etw:Microsoft-Antimalware-Scan-Interface | Amsi/Script content + API verdicts during in-memory staging |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| ParentProcessWhitelist | Certain processes may legitimately use Assembly.Load(); defenders may whitelist known developer/admin tools. |
| MemoryRegionPermissions | Detection logic can tune for RWX memory allocations; some legitimate tools may allocate with RW permissions only. |
Monitor for in-process mmap + mprotect + execve/execveat activity where memory permissions are changed from writable to executable inside the same process without a corresponding ELF on disk.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| OS API Execution (DC0021) | auditd:MMAP | memory region with RWX permissions allocated |
| Field | Description |
|---|---|
| ProcessNameScope | Uncommon for service binaries to call memfd_create; detection tuned for high-risk processes. |
| RWXMemoryThreshold | Adjust threshold for allowed RWX allocations to reduce false positives in JIT runtimes. |
Suspicious calls to dlopen(), dlsym(), or mmap with RWX flags in processes that do not typically perform dynamic module loading. Monitor anonymous memory regions executed by user processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execve or dylib load from memory without backing file |
| Module Load (DC0016) | macos:unifiedlog | suspicious dlopen/dlsym usage in non-development processes |
| Field | Description |
|---|---|
| ApplicationScope | Developer tools may legitimately call dlopen/dlsym; narrow scope to production workloads. |
| ExecutionTimeWindow | Correlate suspicious loads with subsequent process activity in a defined window. |