Data Source: Sysmon EventID 7

Date: 2025-07-10

ID: 45512fa5-4d55-4088-9d51-f4dedc16fdff

Author: Patrick Bareiss, Splunk

Description

Logs the loading of an image (module) into a process, including details about the image name, file path, and hash information.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
CMLUA Or CMSTPLUA UAC Bypass	CMSTP	TTP
Loading Of Dynwrapx Module	Dynamic-link Library Injection	TTP
MS Scripting Process Loading Ldap Module	JavaScript	Anomaly
MS Scripting Process Loading WMI Module	JavaScript	Anomaly
MSI Module Loaded by Non-System Binary	DLL	Hunting
Spoolsv Suspicious Loaded Modules	Print Processors	TTP
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
UAC Bypass MMC Load Unsigned Dll	MMC, Bypass User Account Control	TTP
UAC Bypass With Colorui COM Object	CMSTP	TTP
Wbemprox COM Object Execution	CMSTP	TTP
Windows BitDefender Submission Wizard DLL Sideloading	Hijack Execution Flow	TTP
Windows Credentials Access via VaultCli Module	Windows Credential Manager	Anomaly
Windows DLL Module Loaded in Temp Dir	Ingress Tool Transfer	Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL	Hunting
Windows DLL Side-Loading In Calc	DLL	TTP
Windows Executable in Loaded Modules	Shared Modules	TTP
Windows Gather Victim Identity SAM Info	Credentials	Hunting
Windows Hijack Execution Flow Version Dll Side Load	DLL	Anomaly
Windows Input Capture Using Credential UI Dll	GUI Input Capture	Hunting
Windows InstallUtil Credential Theft	InstallUtil	TTP
Windows Known Abused DLL Loaded Suspiciously	DLL	TTP
Windows Known GraphicalProton Loaded Modules	DLL	Anomaly
Windows MMC Loaded Script Engine DLL	Reflective Code Loading	Anomaly
Windows NetSupport RMM DLL Loaded By Uncommon Process	Masquerading	Anomaly
Windows Office Product Loaded MSHTML Module	Spearphishing Attachment	Anomaly
Windows Office Product Loading Taskschd DLL	Spearphishing Attachment	Anomaly
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Windows Remote Access Software BRC4 Loaded Dll	Remote Access Tools, OS Credential Dumping	Anomaly
Windows Scheduled Task DLL Module Loaded	Scheduled Task/Job	TTP
Windows SpeechRuntime COM Hijacking DLL Load	Distributed Component Object Model	TTP
Windows SqlWriter SQLDumper DLL Sideload	DLL	TTP
Windows Unsigned DLL Side-Loading	DLL	Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path	DLL	TTP
Windows Unsigned MS DLL Side-Loading	DLL, Boot or Logon Autostart Execution	Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module	CMSTP	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Company</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Description</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">FileVersion</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Hashes</span>
  
  <span class="pill kill-chain">IMPHASH</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">ImageLoaded</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">MD5</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">OriginalFileName</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">Product</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SHA256</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">Signature</span>
  
  <span class="pill kill-chain">SignatureStatus</span>
  
  <span class="pill kill-chain">Signed</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">parent_process_exec</span>
  
  <span class="pill kill-chain">parent_process_guid</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">parent_process_name</span>
  
  <span class="pill kill-chain">parent_process_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_hash</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">service_dll_signature_exists</span>
  
  <span class="pill kill-chain">service_dll_signature_verified</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>7</EventID><Version>3</Version><Level>4</Level><Task>7</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-09-12T08:06:31.445185300Z'/><EventRecordID>45273</EventRecordID><Correlation/><Execution ProcessID='2464' ThreadID='2888'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-09-12 08:06:31.433</Data><Data Name='ProcessGuid'>{8814F3F5-1C07-6500-9600-000000000E03}</Data><Data Name='ProcessId'>4440</Data><Data Name='Image'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='ImageLoaded'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='FileVersion'>-</Data><Data Name='Description'>-</Data><Data Name='Product'>-</Data><Data Name='Company'>-</Data><Data Name='OriginalFileName'>-</Data><Data Name='Hashes'>MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</Data><Data Name='Signed'>false</Data><Data Name='Signature'>-</Data><Data Name='SignatureStatus'>Unavailable</Data><Data Name='User'>ATTACKRANGE\Administrator</Data></EventData></Event>

Required Output Fields

Image
ImageLoaded
dest
loaded_file
loaded_file_path
process_exec
process_guid
process_hash
process_id
process_name
process_path
service_dll_signature_exists
service_dll_signature_verified
signature
signature_id
user_id
vendor_product

Source: GitHub | Version: 3