F024MEDIUMInconclusivevalidator: passed
Reflection-based PowerShell code injection detected in event logs
powershell_command:reflection_load
Analyst narrative
PowerShell transcript (Event ID 4104) captured complex reflection-based code using GetProcAddress and unsafe native methods, indicating privilege escalation or DLL injection attempt.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs