Event ID 7

A module (DLL) is loaded in a specific process

Source:

Microsoft-Windows-Sysmon

Category:

Image loaded (rule: ImageLoad)

Image loaded:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    ImageLoaded: %6!s!
    FileVersion: %7!s!
    Description: %8!s!
    Product: %9!s!
    Company: %10!s!
    OriginalFileName: %11!s!
    Hashes: %12!s!
    Signed: %13!s!
    Signature: %14!s!
    SignatureStatus: %15!s!
    User: %16!s!

The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the "–l" option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a significant amount of logging.

LEFT/RIGHT arrow keys for navigation

Back to List