Incident responders regularly observe attackers abusing Microsoft .NET Reflection to dynamically load and execute malicious code. Like process injection, this attack technique is attractive to cybercriminals because it can be done stealthily and allows malicious code to be executed without being visible to cyber defense.
Incident responders face the challenge of making in-memory .NET assemblies visible - and this is where our technical analysis comes in. In the technical research, incident responders tackle this challenge by demonstrating practical methods for detecting and extracting in-memory .NET assemblies using the Velociraptor platform. An analytical investigation uncovers how reflection works as a legitimate development feature, why it is attractive for abuse, and how defenders can distinguish suspicious in-memory activity from normal application behavior.
In a technical deep dive on the InfoGuard Labs blog, our incident responder team introduces two new Velociraptor detection features. The first detection feature identifies dynamically loaded .NET assemblies and helps detect suspicious modules that are not supported by files on disk. The second collects .NET runtime processes and looks for potential tampering. The research also outlines techniques for extracting assemblies in memory for deeper forensic analysis using open source forensic tools.
How do cyber incident forensic investigators extract and analyze hidden malicious code from memory? Deepen your technical know-how: The detailed step-by-step guide in our InfoGuard Labs blog shows you how to master the technical implementation.
Continuous threat hunting and seamless monitoring that detects anomalies at an early stage is crucial for sustainable cyber resilience.
Close cooperation between SOC, threat intelligence and incident response teams ensures that findings from real incidents are directly incorporated into the defense. This results in a cyber defence that does not only react when damage becomes visible, but instead detects attacks in advance and contains them effectively.
This includes the following services, among others:
24/7 staffed monitoring in Security Operations Centers in Switzerland and Germany
AI-supported analysis of even subtle attack patterns and evasion techniques
In-depth forensic expertise for reliable situation assessments and clear recommendations for action
The result is a modern cyber defence system that does not only react when damage becomes visible, but recognizes in-memory attacks at an early stage and addresses them in a structured manner - as the basis for sustainable resilience.
If you would like to delve deeper into this topic, we recommend the research article from IG Labs. Because knowledge is the first step - action is the decisive one: Make the decision today for the robust security of tomorrow.
Caption: Image generated with AI