Detection rules › Kusto Query Language
COM Event System Loading New DLL
'This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543 Create or Modify System Process |
| Privilege Escalation | T1543 Create or Modify System Process |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: source
Event
Stage 2: where
Source eq "Microsoft-Windows-Sysmon"
Stage 3: where
EventID eq "7"
Stage 4: extend
Stage 5: extend
Stage 6: extend
Stage 7: mv-expand
Stage 8: where
macro "(tostring(Images.@Name) =~ \"Image\")"
Stage 9: extend
Stage 10: where
Image ends_with "\\\\svchost.exe"
Stage 11: extend
Stage 12: mv-expand
Stage 13: where
macro "(tostring(LoadedItems.@Name) =~ \"ImageLoaded\")"
Stage 14: extend
Stage 15: extend
Stage 16: extend
Stage 17: join
Stage 18: extend
Stage 19: where
and
ImageLoadTime le "ProcessExecutionTime"
delta le "timedelta"
Stage 20: where
not
DLL eq "known_dlls"
Stage 21: extend
Stage 22: project-reorder
Stage 23: extend
Stage 24: extend
Stage 25: mv-expand
Stage 26: extend
Stage 27: extend
Stage 28: extend
Stage 29: extend
Stage 30: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | DLL | eq | known_dlls |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
Image | ends_with |
|
ImageLoadTime | le |
|
Source | eq |
|
delta | le |
|