Event ID 7

A module (DLL) is loaded in a specific process

Source:

Microsoft-Windows-Sysmon

Category:

Image loaded (rule: ImageLoad)

Image loaded:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    ImageLoaded: %6!s!
    FileVersion: %7!s!
    Description: %8!s!
    Product: %9!s!
    Company: %10!s!
    OriginalFileName: %11!s!
    Hashes: %12!s!
    Signed: %13!s!
    Signature: %14!s!
    SignatureStatus: %15!s!
    User: %16!s!

The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the "–l" option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a significant amount of logging.

Auditing: Conditional

This event is extremely valuable as it can help detect a variety of DLL-based attacks (https://attack.mitre.org/techniques/T1574/001/). Manual tuning of both the sysmon configuration and event log monitoring is required as this event will generate a large volume of events.

Volume: High Very High

Enabling this event will almost always result in a high log volume.

LEFT/RIGHT arrow keys for navigation

Back to List