F011MEDIUMSuspiciousvalidator: passed
Suspicious PowerShell command with reflection-based assembly loading detected
PowerShell reflection_load TTP execution
Analyst narrative
PowerShell process executed a command containing reflection-based code loading pattern (Set-StrictMode, reflection API abuse). This pattern is consistent with Mimikatz, Empire, or other post-exploitation frameworks used for credential theft and privilege escalation.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs