F030MEDIUMInconclusivevalidator: passed
PowerShell reflection-based code loading detected in event logs
PowerShell reflection_load TTP in Security/System event logs
Analyst narrative
Event log analysis reveals PowerShell commands using .NET reflection (SetDelegate, GetProcAddress) to load and execute code dynamically, bypassing traditional process creation monitoring. This is a high-confidence indicator of living-off-the-land attacks or fileless malware.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs