F043HIGHSuspiciousvalidator: passed
Encoded/reflective-load PowerShell execution
Reflective PE load / func_get_proc_address PowerShell TTP
Analyst narrative
candidate cand-0089/cand-0090 fact_ids=powershell_command_fact-0000001,powershell_command_fact-0000002. PowerShell command implementing func_get_proc_address and reflective load (set-strictmode version 2) matched reflection_load TTP - classic shellcode-injection cradle.
Claims asserted
powershell_command-parse_event_logsvol_malfind
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logsvol_malfind