F006MEDIUMSuspiciousvalidator: passed
PowerShell reflection-based code loading detected in event logs
PowerShell reflection_load TTP
Analyst narrative
Event logs contain two distinct PowerShell command facts (fact_ids: powershell_command_fact-0000001, powershell_command_fact-0000002) showing reflection-based code loading patterns (SetStrictMode, function definitions for unsafe native method access via reflection). This represents execution (TA0002) via PowerShell with evasion patterns (TA0005). Candidate_ids: cand-0089, cand-0090
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs