Try to imagine the following scenarios:
A process exhibits suspicious behavior but there are no relevant command-line artifacts. How do you make sense of the root cause of the suspicious behavior?
A PowerShell process downloaded and executed a payload in memory. The command and control (C2) URL is present but there is no execution context beyond that. What exactly was downloaded and executed?
A DotNetToJScript payload loaded a .NET assembly in memory. How did the script do it and what did it …