Defender-DeviceImageLoadEvents
2 ActionTypes
| ActionType | Title |
|---|---|
| any | Image load (any) |
| ImageLoaded | Image loaded |
any: Image load (any)
#Description
Image load (any)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ActionType | |
FileName | |
FolderPath | |
SHA256 | |
InitiatingProcessFileName |
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
GlobalPrevalence | lt | 200 | 2 rules | kusto |
EventType | in | FileCreated | 2 rules | kusto |
EventType | in | FileModified | 2 rules | kusto |
IntegrityLevel | in | High | 1 rule | kusto, splunk |
IntegrityLevel | in | System | 1 rule | kusto, splunk |
parent_process_name | in | cscript.exe | 1 rule | kusto, splunk |
parent_process_name | in | wscript.exe | 1 rule | kusto, splunk |
GlobalPrevalence | is_null | | 1 rule | kusto |
RemoteIPType | eq | Public | 1 rule | kusto |
parent_process_name | contains | regsvr32.exe | 1 rule | kusto |
parent_process_name | contains | rundll32.exe | 1 rule | kusto |
parent_process_name | in | mshta.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Hijack Execution Flow - DLL Side-Loading source medium: This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.
- Detect .NET runtime being loaded in JScript for code execution source medium: This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
- Regsvr32 Rundll32 Image Loads Abnormal Extension source high: This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
Show 2 more (5 total)
- PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matchesImageLoaded: Image loaded
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesImageLoaded: Image loaded
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceimageloadevents/
ImageLoaded: Image loaded
#Description
Image loaded
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
SHA256 | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
GlobalPrevalence | lt | 100 | 2 rules | kusto |
GlobalPrevalence | lt | 200 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matchesany: Image load (any)
- Suspicious use of CPL file source: This query identifies .cpl files being loaded and verifies if the corresponding file is suspicious by looking at the signature and global prevalence.
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesany: Image load (any)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceimageloadevents/