How these tools actually run reflectively can vary quite a bit, but may include hijacking an existing process through process hollowing or process injection, or may simply include an attacker-provided benign hosting process. Regardless of which vector we choose, the common requirement is the ability to load our binaries without touching the disk.