Event ID 7 — Image loaded

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Image loaded (rule: ImageLoad)
Opcode: Info

Description

The image loaded event logs when a module is loaded in a specific process.

Message #

Image loaded:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
ImageLoaded: %6
FileVersion: %7
Description: %8
Product: %9
Company: %10
OriginalFileName: %11
Hashes: %12
Signed: %13
Signature: %14
SignatureStatus: %15
User: %16

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString → string	Time in UTC when event was created
`ProcessGuid` GUID → GUID	Process GUID of the process that loaded the image
`ProcessId` UInt32 → PID	Process ID used by the OS to identify the process that loaded the image
`Image` UnicodeString → string	File path of the process that loaded the image
`ImageLoaded` UnicodeString → string	Full path of the image loaded
`FileVersion` UnicodeString → string	Version of the image loaded
`Description` UnicodeString → string	Description of the image loaded
`Product` UnicodeString → string	Product name that the loaded image belongs to
`Company` UnicodeString → string	Company name that the loaded image belongs to
`OriginalFileName` UnicodeString → string	Original file name from the PE header, useful for detecting renamed modules
`Hashes` UnicodeString → string	Hash of the file contents using the algorithms specified in the HashType field
`Signed` UnicodeString → string	Is the image loaded signed
`Signature` UnicodeString → string	The signer
`SignatureStatus` UnicodeString → string	Status of the signature (i.e. valid)
`User` UnicodeString → string	Name of the account that loaded the image.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 7,
    "version": 3,
    "level": 4,
    "task": 7,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:04:20.308288+00:00",
    "event_record_id": 1440307,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 02:04:20.300",
    "ProcessGuid": "E56ADA26-3995-6548-3608-000000000D00",
    "ProcessId": 16148,
    "Image": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamtray.exe",
    "ImageLoaded": "C:\\Windows\\System32\\mobilenetworking.dll",
    "FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
    "Description": "\"MobileNetworking.DYNLINK\"",
    "Product": "Microsoft® Windows® Operating System",
    "Company": "Microsoft Corporation",
    "OriginalFileName": "\"MobileNetworking.DYNLINK\"",
    "Hashes": "SHA1=260C4C8799D0D4EF4074123DCB0F6CC1BAB8E398,MD5=86DC2DC65542D41C6DAEE47B12CAAF25,SHA256=B75EF0D9BE5C111341DAB495301C5939495487C2A76EB2EC1D1EAC393E6EFC5E,IMPHASH=839E809555F97D103A3AF38B8133172A",
    "Signed": "true",
    "Signature": "Microsoft Windows",
    "SignatureStatus": "Valid",
    "User": "WINDEV2310EVAL\\User"
  },
  "message": ""
}

Detection Patterns #

Defense Evasion: Regsvr32

Defender-DeviceImageLoadEvents Event ID 9006000: Image load→Sysmon Event ID 7: Image loaded

1 rule

Kusto Query Language

Regsvr32 Rundll32 Image Loads Abnormal Extension (source)

Execution: Exploitation for Client Execution

Sysmon Event ID 7: Image loadedANDEvent ID 22: DNSEvent

1 rule

Splunk

Sunburst Correlation DLL and Network Event (source)

Patrick Bareiss, Splunk

Execution: User Execution

Defender-DeviceImageLoadEvents Event ID 9006000: Image loadORSysmon Event ID 7: Image loaded

1 rule

Kusto Query Language

Detect .NET runtime being loaded in JScript for code execution (source)

Persistence: Create or Modify System Process

Sysmon Event ID 1: Process creation→Event ID 7: Image loaded

1 rule

Kusto Query Language

COM Event System Loading New DLL (source)

Shain

Community Notes #

Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Clfs.SYS Loaded By Process Located In a Potential Suspicious Location source medium: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
DLL Loaded From Suspicious Location Via Cmspt.EXE source high: Detects cmstp loading "dll" or "ocx" files from suspicious locations
Amsi.DLL Loaded Via LOLBIN Process source medium: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Show 17 more (98 total)

Potential Azure Browser SSO Abuse source low: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 source high: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
CredUI.DLL Loaded By Uncommon Process source medium: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded source high: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
PCRE.NET Package Image Load source high: Detects processes loading modules related to PCRE.NET package
Load Of RstrtMgr.DLL By A Suspicious Process source high: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon Process source low: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE source high: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
PowerShell Core DLL Loaded By Non PowerShell Process source medium: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Time Travel Debugging Utility Usage - Image source high: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Unsigned .node File Loaded source medium: Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Suspicious Volume Shadow Copy VSS_PS.dll Load source high: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
Suspicious Volume Shadow Copy Vssapi.dll Load source high: Detects the image load of VSS DLL by uncommon executables
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load source medium: Detects the image load of VSS DLL by uncommon executables
HackTool - SharpEvtMute DLL Load source high: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SILENTTRINITY Stager DLL Load source high: Detects SILENTTRINITY stager dll loading activity
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load source critical: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Elastic # view in reference

Potential Credential Access via Renamed COM+ Services DLL source high: Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.

Splunk # view in reference

CMLUA Or CMSTPLUA UAC Bypass source: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
Loading Of Dynwrapx Module source: The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.
MS Scripting Process Loading Ldap Module source: The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.

Show 17 more (34 total)

MS Scripting Process Loading WMI Module source: The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.
MSI Module Loaded by Non-System Binary source: The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.
Spoolsv Suspicious Loaded Modules source: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.
UAC Bypass MMC Load Unsigned Dll source: The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.
UAC Bypass With Colorui COM Object source: The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.
Wbemprox COM Object Execution source: The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.
Windows BitDefender Submission Wizard DLL Sideloading source: Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
Windows Credentials Access via VaultCli Module source: The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security.
Windows DLL Module Loaded in Temp Dir source: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory.
Windows DLL Search Order Hijacking Hunt with Sysmon source: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.
Windows DLL Side-Loading In Calc source: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the "calc.exe" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named "WindowsCodecs.dll". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.
Windows Executable in Loaded Modules source: The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.
Windows Gather Victim Identity SAM Info source: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.
Windows Hijack Execution Flow Version Dll Side Load source: The following analytic detects a process loading a version.dll file from a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.
Windows Input Capture Using Credential UI Dll source: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.
Windows InstallUtil Credential Theft source: The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.
Windows Known Abused DLL Loaded Suspiciously source: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-7.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection