F025MEDIUMSuspiciousvalidator: passed
PowerShell reflection-based code loading (TA0005: Defense Evasion)
PowerShell reflection_load payload
Analyst narrative
PowerShell transcript (Event ID 4104) shows execution of code using reflection to dynamically load .NET assemblies without disk artifacts. Pattern matches GetProcAddress/LoadLibrary reflection loading with strict mode disabled, typical of Mimikatz or credential theft payloads. Indicates defense evasion via in-memory code execution.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs