F022MEDIUMSuspiciousvalidator: passed
PowerShell reflective DLL load / shellcode injection
Reflective PowerShell load (reflection_load TTP)
Analyst narrative
candidate cand-0089/cand-0090: PowerShell command facts matched reflection_load TTP (func_get_proc_address / Set-StrictMode reflective loader pattern). fact_ids=powershell_command_fact-0000001, powershell_command_fact-0000002
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs