Defender-DeviceImageLoadEvents

2 ActionTypes

ActionTypeTitle
anyImage load (any)
ImageLoadedImage loaded

any: Image load (any)

#
Provider
Defender-DeviceImageLoadEvents
Channel
DeviceImageLoadEvents

Description

Image load (any)

Fields #

NameDescription
DeviceId
Timestamp
ActionType
FileName
FolderPath
SHA256
InitiatingProcessFileName

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
GlobalPrevalencelt2002 ruleskusto
EventTypeinFileCreated2 ruleskusto
EventTypeinFileModified2 ruleskusto
IntegrityLevelinHigh1 rulekusto, splunk
IntegrityLevelinSystem1 rulekusto, splunk
parent_process_nameincscript.exe1 rulekusto, splunk
parent_process_nameinwscript.exe1 rulekusto, splunk
GlobalPrevalenceis_null1 rulekusto
RemoteIPTypeeqPublic1 rulekusto
parent_process_namecontainsregsvr32.exe1 rulekusto
parent_process_namecontainsrundll32.exe1 rulekusto
parent_process_nameinmshta.exe1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 2 more (5 total)
  • PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matchesImageLoaded: Image loaded
  • WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesImageLoaded: Image loaded

References #

ImageLoaded: Image loaded

#
Provider
Defender-DeviceImageLoadEvents
Channel
ImageLoaded

Description

Image loaded

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
SHA256
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
GlobalPrevalencelt1002 ruleskusto
GlobalPrevalencelt2001 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matchesany: Image load (any)
  • Suspicious use of CPL file source: This query identifies .cpl files being loaded and verifies if the corresponding file is suspicious by looking at the signature and global prevalence.
  • WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesany: Image load (any)

References #