That’s interesting, I spend several hours on analyzing event 7 ID and later non-singed images, but it didn’t get the putout as I expected based on the “Analyzing Evil With Sysmon & Event Logs”. The query worked fine, however it should be $_., not $. directly.
I think that exercise wasn’t properly adjusted for entry-level skills and it’s not matching the steps from previous modules.
Thx buddy, this helped me aswell. I also thought about checking ‘Signed’ but could not able to put that all together into powershell. You helped with it. Thank you.