F034MEDIUMSuspiciousvalidator: passed
Encoded reflective-load PowerShell execution
Reflective load PowerShell command (reflection_load TTP)
Analyst narrative
PowerShell command facts show func_get_proc_address / GetProcAddress reflection patterns indicative of in-memory PE/shellcode loading. Candidates cand-0089 and cand-0090 (powershell_command_fact-0000001/0000002).
Claims asserted
powershell_command-parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs