Event ID 6

Provides information about a driver being loaded on the system

Source:

Microsoft-Windows-Sysmon

Category:

Driver loaded (rule: DriverLoad)

Driver loaded:
    RuleName: %1!s!
    UtcTime: %2!s!
    ImageLoaded: %3!s!
    Hashes: %4!s!
    Signed: %5!s!
    Signature: %6!s!
    SignatureStatus: %7!s!

The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

Auditing: Always

Due its low volume and valuable insight in driver activity, this event should always be audited.

Volume: Low Medium

LEFT/RIGHT arrow keys for navigation

Back to List