Windows event logs & finding evil

That’s interesting, I spend several hours on analyzing event 7 ID and later non-singed images, but it didn’t get the putout as I expected based on the “Analyzing Evil With Sysmon & Event Logs”. The query worked fine, however it should be $_., not $. directly.

I think that exercise wasn’t properly adjusted for entry-level skills and it’s not matching the steps from previous modules.

Thank you!

To see Events with ID 7 you need:

sysmon.exe -c sysmonconfig-export.xml

Then change this file:

and then run the first command again:

sysmon.exe -c sysmonconfig-export.xml

Thanks, This query helped me.