F003MEDIUMSuspiciousvalidator: passed
Reflective PE-load PowerShell execution
Reflective load PowerShell command (TTP)
Analyst narrative
PowerShell script using func_get_proc_address / UnsafeNativeMethods reflection patterns matched as high-severity reflection_load TTP. Candidates cand-0089, cand-0090 fact_ids=powershell_command_fact-0000001,0000002.
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs