F050LOWBenign / FPvalidator: passed
Jump List evidence of administrative tool access (Application Access History)
Jump List: Windows PowerShell.lnk access history
Analyst narrative
Jump List artifacts show repeated access to Windows PowerShell administrative link. Path: %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell.lnk. Candidate cand-0071. Fact_ids: jumplist_fact-0000018, jumplist_fact-0000028, jumplist_fact-0000060.
Claims asserted
path%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell.lnkrun_jlecmd
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
extract_mft_timelineextract_network_iocsparse_userassistrun_jlecmdvol_filescan