F014MEDIUMInconclusivevalidator: passed
PowerShell reflection-based code loading detected in event logs
PowerShell command with reflection payload
Analyst narrative
PowerShell transcript captured in event logs shows reflection-based dynamic code loading pattern (using [System.Reflection.Assembly]::LoadWithPartialName and unsafe native methods). Indicates in-memory exploitation technique.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs