{"id":75456,"date":"2017-11-13T05:54:13","date_gmt":"2017-11-13T13:54:13","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=75456"},"modified":"2023-05-15T23:00:33","modified_gmt":"2023-05-16T06:00:33","slug":"detecting-reflective-dll-loading-with-windows-defender-atp","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/","title":{"rendered":"Detecting reflective DLL loading with Windows Defender ATP"},"content":{"rendered":"<p>Today&#8217;s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/03\/08\/uncovering-cross-process-injection-with-windows-defender-atp\/\" target=\"_blank\" rel=\"noopener\">basic cross-process migration<\/a> or advanced techniques like <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/07\/12\/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing\/\" target=\"_blank\" rel=\"noopener\">atom bombing and process hollowing<\/a> to avoid detection.<\/p>\n<p>Reflective Dynamic-Link Library (DLL) loading, which can load a DLL into a process memory without using the Windows loader, is another method used by attackers.<\/p>\n<p>In-memory DLL loading was first described in 2004 by <a href=\"http:\/\/www.hick.org\/code\/skape\/papers\/remote-library-injection.pdf\">Skape and JT<\/a>, who illustrated how one can patch the Windows loader to load DLLs from memory instead of from disk. In 2008, <a href=\"https:\/\/github.com\/stephenfewer\/ReflectiveDLLInjection\">Stephen Fewer<\/a> of Harmony Security introduced the reflective DLL loading process that loads a DLL into a process without being registered with the process. Modern attacks now use this technique to avoid detection.<\/p>\n<p>Reflective DLL loading isn\u2019t trivial\u2014it requires writing the DLL into memory and then resolving its imports and\/or relocating it. To reflectively load DLLs, one needs to author one\u2019s own custom loader.<\/p>\n<p>However, attackers are still motivated to not use the Windows loader, as most legitimate applications would, for two reasons:<\/p>\n<ol>\n<li>Unlike when using the Windows loader (which is invoked by calling the <em>LoadLibrary <\/em>function), reflectively loading a DLL doesn\u2019t require the DLL to reside on disk. As such, an attacker can exploit a process, map the DLL into memory, and then reflectively load DLL without first saving on the disk.<\/li>\n<li>Because it\u2019s not saved on the disk, a library that is loaded this way may not be readily visible without forensic analysis (e.g., inspecting whether executable memory has content resembling executable code).<\/li>\n<\/ol>\n<h2>Instrumentation and detection<\/h2>\n<p>A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading.<\/p>\n<p>In Windows 10 Creators Update, we instrumented function calls related to procuring executable memory, namely <em>VirtualAlloc<\/em> and <em>VirtualProtect<\/em>, which generate signals for Windows Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">Windows Defender ATP<\/a>). Based on this instrumentation, we\u2019ve built a model that detects reflective DLL loading in a broad range of high-risk processes, for example, browsers and productivity software.<\/p>\n<p>The model takes a two-pronged approach:<\/p>\n<ol>\n<li>First, the model learns about the normal allocations of a process. As a simplified example, we observe that a process like <em>Winword.exe<\/em> allocates page-aligned executable memory of size 4,000 and particular execution characteristics. Only a select few threads within the <em>Winword<\/em> process allocate memory in this way.<\/li>\n<li>Second, we find that a process associated with malicious activity (e.g., executing a malicious macro or exploit) allocates executable memory that deviates from the normal behavior.<\/li>\n<\/ol>\n<p>This model shows that we can use memory events as the primary signal for detecting reflective DLL loading. In our real model, we incorporate a broad set of other features, such as allocation size, allocation history, thread information, allocation flags, etc. We also consider the fact that application behavior varies greatly because of other factors like plugins, so we add other behavioral signals like network connection behavior to increase the effectiveness of our detection.<\/p>\n<h2>Detecting reflective DLL Loading<\/h2>\n<p>Let\u2019s show how Windows Defender ATP can detect reflective DLL loading used with a common technique in modern threats: social engineering. In this attack, the target victim opens a Microsoft Word document from a file share. The victim is tricked into running a macro code.<\/p>\n<p>When the macro code runs, the Microsoft Word process reaches out to the command-and-control (C&amp;C) server specified by the attacker, and receives the content of the DLL to be reflectively loaded. Once the DLL is reflectively loaded, it connects to the C&amp;C and provides command line access to the victim machine.<\/p>\n<p>Note that the DLL is not part of the original document and does not ever touch the disk. Other than the initial document with the small macro snippet, the rest of the attack happens in memory. Memory forensics reveals that there are several larger RWX sections mapped into the Microsoft Word process without a corresponding DLL. These are the memory sections where the reflectively loaded DLL resides.<\/p>\n<p>Windows Defender ATP identifies the memory allocations as abnormal and raises an alert. Windows Defender ATP provides context on the document, along with information on command-and-control communication, which can allow security operations personnel to assess the scope of the attack and start containing the breach.<\/p>\n<p>Microsoft Office 365 Advanced Threat Protection protects customers against similar attacks dynamic behavior matching. In attacks like this, SecOps personnel would see an Office 365 ATP behavioral detection on Office 365\u2019s Threat Explorer page.<\/p>\n<h2>Conclusion: Windows Defender ATP uncovers in-memory attacks<\/h2>\n<p>Windows 10 continues to strengthen defense capabilities against the full range of modern attacks. In this blog post, we illustrated how <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">Windows Defender ATP<\/a> detects the reflective DLL loading technique. Security operations personnel can use the alerts in Windows Defender ATP to quickly identify and respond to attacks in corporate networks.<\/p>\n<p>Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect the invariant techniques used in attacks. Enhanced instrumentation and detection capabilities in Windows Defender ATP can better expose covert attacks.<\/p>\n<p>Windows Defender ATP also provides detailed event timelines and other contextual information that SecOps teams can use to understand attacks and quickly respond. The improved functionality in Windows Defender ATP enables them to isolate the victim machine and protect the rest of the network.<\/p>\n<p>For more information about <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender ATP<\/a>, check out its <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/Windows-ATP?ocid=cx-blog-mmpc\">features and capabilities.<\/a><\/p>\n<p>To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, <strong><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a><\/strong>.<\/p>\n<p><strong><em>Christian Seifert<\/em><\/strong><\/p>\n<p><em>Windows Defender ATP Research<\/em><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-83215\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/windows-defender-atp-8.png\" alt=\"\" width=\"820\" height=\"150\" \/><\/a><\/p>\n<hr \/>\n<h4><strong>Talk to us<\/strong><\/h4>\n<p>Questions, concerns, or insights on this story? Join discussions at the <a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noopener\">Microsoft community<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noopener\">@WDSecurity<\/a> and Facebook <a href=\"https:\/\/www.facebook.com\/MsftWDSI\/\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today&#8217;s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":89402,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3685],"products":[3690,3694],"threat-intelligence":[],"tags":[3819],"coauthors":[1968],"class_list":["post-75456","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-siem-and-xdr","products-microsoft-defender","products-microsoft-defender-for-endpoint","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Today&#8217;s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-13T13:54:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:00:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-social.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1027\" \/>\n\t<meta property=\"og:image:height\" content=\"539\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-social.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Detecting reflective DLL loading with Windows Defender ATP\",\"datePublished\":\"2017-11-13T13:54:13+00:00\",\"dateModified\":\"2023-05-16T06:00:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\"},\"wordCount\":1045,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png\",\"keywords\":[\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\",\"name\":\"Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png\",\"datePublished\":\"2017-11-13T13:54:13+00:00\",\"dateModified\":\"2023-05-16T06:00:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png\",\"width\":440,\"height\":268},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting reflective DLL loading with Windows Defender ATP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/","og_locale":"en_US","og_type":"article","og_title":"Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog","og_description":"Today&#8217;s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/","og_site_name":"Microsoft Security Blog","article_published_time":"2017-11-13T13:54:13+00:00","article_modified_time":"2023-05-16T06:00:33+00:00","og_image":[{"width":1027,"height":539,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-social.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-social.png","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Detecting reflective DLL loading with Windows Defender ATP","datePublished":"2017-11-13T13:54:13+00:00","dateModified":"2023-05-16T06:00:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/"},"wordCount":1045,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png","keywords":["Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/","name":"Detecting reflective DLL loading with Windows Defender ATP | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png","datePublished":"2017-11-13T13:54:13+00:00","dateModified":"2023-05-16T06:00:33+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/11\/reflective-dll-loading-fig-1-memory-allocation-characteristics-blog.png","width":440,"height":268},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/detecting-reflective-dll-loading-with-windows-defender-atp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Detecting reflective DLL loading with Windows Defender ATP"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75456"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=75456"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75456\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/89402"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=75456"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=75456"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=75456"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=75456"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=75456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=75456"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=75456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}