Detection rules › By event

Microsoft-Windows-Sysmon event 7

134 detection rules reference this event. View event page.

Sigma (98)

Abusable DLL Potential Sideloading From Suspicious Location severity high T1059
Amsi.DLL Loaded Via LOLBIN Process severity medium
Aruba Network Service Potential DLL Sideloading severity high T1574.001
BaaUpdate.exe Suspicious DLL Load severity high T1021.003, T1218
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location severity medium T1059
CLR DLL Loaded Via Office Applications severity medium T1204.002
CredUI.DLL Loaded By Uncommon Process severity medium T1056.002
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE severity high T1202
DLL Load By System Process From Suspicious Locations severity medium T1070
DLL Loaded From Suspicious Location Via Cmspt.EXE severity high T1218.003
DLL Sideloading Of ShellChromeAPI.DLL severity high T1574.001
DotNET Assembly DLL Loaded Via Office Application severity medium T1204.002
DotNet CLR DLL Loaded By Scripting Applications severity high T1055
Fax Service DLL Search Order Hijack severity high T1574.001
GAC DLL Loaded Via Office Applications severity high T1204.002
HackTool - SharpEvtMute DLL Load severity high T1562.002
HackTool - SILENTTRINITY Stager DLL Load severity high T1071
Load Of RstrtMgr.DLL By A Suspicious Process severity high T1486, T1562.001
Load Of RstrtMgr.DLL By An Uncommon Process severity low T1486, T1562.001
Microsoft Excel Add-In Loaded From Uncommon Location severity medium T1204.002
Microsoft Office DLL Sideload severity high T1574.001
Microsoft VBA For Outlook Addin Loaded Via Outlook severity medium T1204.002
MMC Loading Script Engines DLLs severity medium T1059.005, T1218.014
PCRE.NET Package Image Load severity high T1059
Potential 7za.DLL Sideloading severity low T1574.001
Potential Antivirus Software DLL Sideloading severity medium T1574.001
Potential appverifUI.DLL Sideloading severity high T1574.001
Potential AVKkid.DLL Sideloading severity medium T1574.001
Potential Azure Browser SSO Abuse severity low T1574.001
Potential CCleanerDU.DLL Sideloading severity medium T1574.001
Potential CCleanerReactivator.DLL Sideloading severity medium T1574.001
Potential Chrome Frame Helper DLL Sideloading severity medium T1574.001
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load severity critical T1021.002, T1021.003
Potential DLL Sideloading Of DBGCORE.DLL severity medium T1574.001
Potential DLL Sideloading Of DBGHELP.DLL severity medium T1574.001
Potential DLL Sideloading Of DbgModel.DLL severity medium T1574.001
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE severity high T1574.001
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE severity medium T1574.001
Potential DLL Sideloading Of MpSvc.DLL severity medium T1574.001
Potential DLL Sideloading Of MsCorSvc.DLL severity medium T1574.001
Potential DLL Sideloading Of Non-Existent DLLs From System Folders severity high T1574.001
Potential DLL Sideloading Using Coregen.exe severity medium T1055, T1218
Potential DLL Sideloading Via ClassicExplorer32.dll severity medium T1574.001
Potential DLL Sideloading Via comctl32.dll severity high T1574.001
Potential DLL Sideloading Via JsSchHlp severity medium T1574.001
Potential DLL Sideloading Via VMware Xfer severity high T1574.001
Potential EACore.DLL Sideloading severity high T1574.001
Potential Edputil.DLL Sideloading severity high T1574.001
Potential Goopdate.DLL Sideloading severity medium T1574.001
Potential Iviewers.DLL Sideloading severity high T1574.001
Potential JLI.dll Side-Loading severity high T1574.001
Potential Libvlc.DLL Sideloading severity medium T1574.001
Potential Mfdetours.DLL Sideloading severity medium T1574.001
Potential Mpclient.DLL Sideloading severity high T1574.001
Potential Python DLL SideLoading severity medium T1574.001
Potential Rcdll.DLL Sideloading severity high T1574.001
Potential RjvPlatform.DLL Sideloading From Default Location severity medium T1574.001
Potential RjvPlatform.DLL Sideloading From Non-Default Location severity high T1574.001
Potential RoboForm.DLL Sideloading severity medium T1574.001
Potential ShellDispatch.DLL Sideloading severity medium T1574.001
Potential SmadHook.DLL Sideloading severity high T1574.001
Potential SolidPDFCreator.DLL Sideloading severity medium T1574.001
Potential System DLL Sideloading From Non System Locations severity high T1574.001
Potential Vivaldi_elf.DLL Sideloading severity medium T1574.001
Potential Waveedit.DLL Sideloading severity high T1574.001
Potential Wazuh Security Platform DLL Sideloading severity medium T1574.001
Potential WWlib.DLL Sideloading severity medium T1574.001
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load severity medium T1490
PowerShell Core DLL Loaded By Non PowerShell Process severity medium T1059.001
PowerShell Core DLL Loaded Via Office Application severity medium
Python Image Load By Non-Python Process severity low T1027.002
Remote DLL Load Via Rundll32.EXE severity medium T1204.002
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location severity high T1003, T1562.001
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 severity high T1003.001
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded severity high T1003.001
Suspicious Unsigned Thor Scanner Execution severity high T1574.001
Suspicious Volume Shadow Copy VSS_PS.dll Load severity high T1490
Suspicious Volume Shadow Copy Vssapi.dll Load severity high T1490
Suspicious WSMAN Provider Image Loads severity medium T1021.003, T1059.001
System Control Panel Item Loaded From Uncommon Location severity high T1574.001
Third Party Software DLL Sideloading severity medium T1574.001
Time Travel Debugging Utility Usage - Image severity high T1003.001, T1218
Trusted Path Bypass via Windows Directory Spoofing severity high T1548.002, T1574.007
UAC Bypass Using Iscsicpl - ImageLoad severity high T1548.002
UAC Bypass With Fake DLL severity high T1548.002, T1574.001
Unsigned .node File Loaded severity medium T1036.005, T1129, T1574.001
Unsigned DLL Loaded by Windows Utility severity medium T1218.010, T1218.011
Unsigned Image Loaded Into LSASS Process severity medium T1003.001
Unsigned Mfdetours.DLL Sideloading severity high T1574.001
Unsigned Module Loaded by ClickOnce Application severity medium T1574.001
VBA DLL Loaded Via Office Application severity high T1204.002
VMGuestLib DLL Sideload severity medium T1574.001
VMMap Signed Dbghelp.DLL Potential Sideloading severity medium T1574.001
VMMap Unsigned Dbghelp.DLL Potential Sideloading severity high T1574.001
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load severity medium T1546.003
WMI Persistence - Command Line Event Consumer severity high T1546.003
WMIC Loading Scripting Libraries severity medium T1220
Wmiprvse Wbemcomn DLL Hijack severity high T1021.002, T1047

Elastic (1)

Potential Credential Access via Renamed COM+ Services DLL T1003, T1003.001, T1036, T1036.003, T1218, T1218.011

Microsoft-Windows-Sysmon event 7

Sigma (98)

Elastic (1)

Splunk (35)

Keyboard Shortcuts