F038MEDIUMInconclusivevalidator: passed
Suspicious PowerShell command with reflection load TTP (Code Evasion)
PowerShell command with reflection_load TTP
Analyst narrative
PowerShell command detected in event logs containing reflection-based code loading pattern. Commands use SetStrictMode and dynamic assembly loading via reflection to evade static analysis. Candidate cand-0089, cand-0090. Fact_ids: powershell_command_fact-0000002, powershell_command_fact-0000001.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs