Windows event logs & finding evil

That’s interesting, I spend several hours on analyzing event 7 ID and later non-singed images, but it didn’t get the putout as I expected based on the “Analyzing Evil With Sysmon & Event Logs”. The query worked fine, however it should be $_., not $. directly.

I think that exercise wasn’t properly adjusted for entry-level skills and it’s not matching the steps from previous modules.

Thank you!

1 Like

To see Events with ID 7 you need:

sysmon.exe -c sysmonconfig-export.xml

Then change this file:

and then run the first command again:

sysmon.exe -c sysmonconfig-export.xml

Thanks, This query helped me.

ohh yes! i must have mistyped the $_. part of the query.

Agreed the exercises was a bit of a jump which wasnt great

Thank you !

Anyone with the answers for the skills assessment answer for this module should kindly help

Thx buddy, this helped me aswell. I also thought about checking ‘Signed’ but could not able to put that all together into powershell. You helped with it. Thank you.

Get-WinEvent -FilterHashtable @{Path='C:\Logs\DLLHijack\DLLHijack.evtx'; ID=7} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Where-Object {$_.Message -match 'Signed: false'}

Hello. I was able to solve it with this:

Get-WinEvent -Path 'C:\Logs\DLLHijack\DLLHijack.evtx' -FilterXPath "*[System[EventID=7] and EventData[Data[@Name='Signed']='false']]" | Select-Object -Property *