Why is my Advanced Hunting Query unable to show the records that I want?

N

Nathaniel Kwok

I am trying to see if a PowerShell file that I signed (signtools) shows up in an Advanced Hunting Query, but it does not. I ran the signtools command in powershell, and it shows that the file was signed successfully. Yet, when I go to the query to try to look for it, the signed file does not show up. Below is my Advanced Hunting Query:DeviceFileCertificateInfo//get files where certificate older than today| where Timestamp > ago(90d)| where CertificateExpirationTime < now()| distinct SHA1, Issuer, Signer, CertificateExpirationTime, IsTrusted, IsRootSignerMicrosoft, SignerHash| project-kee

Continue reading...
 
Back
Top Bottom