Event ID 9006000 — Image load (any)

Provider: Defender-DeviceImageLoadEvents
Channel: DeviceImageLoadEvents

Description

Image load (any)

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`ActionType`	—
`FileName`	—
`FolderPath`	—
`SHA256`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Defense Evasion: Regsvr32

Defender-DeviceImageLoadEvents Event ID 9006000: Image load→Sysmon Event ID 7: Image loaded

1 rule

Kusto Query Language

Regsvr32 Rundll32 Image Loads Abnormal Extension (source)

Execution: User Execution

Defender-DeviceImageLoadEvents Event ID 9006000: Image loadORSysmon Event ID 7: Image loaded

1 rule

Kusto Query Language

Detect .NET runtime being loaded in JScript for code execution (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table