F030MEDIUMSuspiciousvalidator: passed
Reflection-based PowerShell command with code injection pattern (TA0002: Execution)
powershell_command_fact
Analyst narrative
PowerShell event log captures execution of reflection-based code loading technique ('reflection_load' TTP). Command uses unsafe native methods and function pointer resolution, consistent with T1086 PowerShell and T1059 Command Line Interface execution with evasion.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs