Data Source: Sysmon EventID 7

Date: 2026-05-13

ID: 45512fa5-4d55-4088-9d51-f4dedc16fdff

Author: Patrick Bareiss, Splunk

Description

Logs the loading of an image (module) into a process, including details about the image name, file path, and hash information.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
CMLUA Or CMSTPLUA UAC Bypass	CMSTP	TTP
Windows Gather Victim Identity SAM Info	Credentials	Hunting
Windows SqlWriter SQLDumper DLL Sideload	DLL	TTP
Windows DLL Module Loaded in Temp Dir	Ingress Tool Transfer	Hunting
Windows Unsigned MS DLL Side-Loading	Boot or Logon Autostart Execution, DLL	Anomaly
Windows SpeechRuntime COM Hijacking DLL Load	Distributed Component Object Model	TTP
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Windows Office Product Loading Taskschd DLL	Spearphishing Attachment	Anomaly
Windows Executable in Loaded Modules	Shared Modules	TTP
Windows Scheduled Task DLL Module Loaded	Scheduled Task/Job	TTP
UAC Bypass MMC Load Unsigned Dll	MMC, Bypass User Account Control	TTP
Windows NetSupport RMM DLL Loaded By Uncommon Process	Masquerading	Anomaly
Windows DLL Side-Loading In Calc	DLL	TTP
Windows Known Abused DLL Loaded Suspiciously	DLL	TTP
Windows Input Capture Using Credential UI Dll	GUI Input Capture	Hunting
Windows Remote Image Load	Command and Scripting Interpreter, Exploitation for Privilege Escalation, Shared Modules, Exploitation for Client Execution	Anomaly
Wbemprox COM Object Execution	CMSTP	TTP
Windows Unsigned DLL Side-Loading In Same Process Path	DLL	TTP
Windows Unusual Process Load Mozilla NSS-Mozglue Module	CMSTP	Anomaly
Windows Credentials Access via VaultCli Module	Windows Credential Manager	Anomaly
Windows Devtunnels Image Loaded	Proxy	Anomaly
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Windows Office Product Loaded MSHTML Module	Spearphishing Attachment	Anomaly
Windows Hijack Execution Flow Version Dll Side Load	DLL	Anomaly
Loading Of Dynwrapx Module	Dynamic-link Library Injection	TTP
Windows InstallUtil Credential Theft	InstallUtil	TTP
MS Scripting Process Loading WMI Module	JavaScript	Anomaly
Windows BitDefender Submission Wizard DLL Sideloading	Hijack Execution Flow	TTP
MS Scripting Process Loading Ldap Module	JavaScript	Anomaly
Windows Unsigned DLL Side-Loading	DLL	Anomaly
UAC Bypass With Colorui COM Object	CMSTP	TTP
MSI Module Loaded by Non-System Binary	DLL	Hunting
Spoolsv Suspicious Loaded Modules	Print Processors	TTP
Windows MMC Loaded Script Engine DLL	Reflective Code Loading	Anomaly
Windows Known GraphicalProton Loaded Modules	DLL	Anomaly
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL	Hunting
Windows Remote Access Software BRC4 Loaded Dll	OS Credential Dumping, Remote Access Tools	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Company</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Description</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">FileVersion</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Hashes</span>
  
  <span class="pill kill-chain">IMPHASH</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">ImageLoaded</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">MD5</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">OriginalFileName</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">Product</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SHA256</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">Signature</span>
  
  <span class="pill kill-chain">SignatureStatus</span>
  
  <span class="pill kill-chain">Signed</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">parent_process_exec</span>
  
  <span class="pill kill-chain">parent_process_guid</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">parent_process_name</span>
  
  <span class="pill kill-chain">parent_process_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_hash</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">service_dll_signature_exists</span>
  
  <span class="pill kill-chain">service_dll_signature_verified</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>7</EventID><Version>3</Version><Level>4</Level><Task>7</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-09-12T08:06:31.445185300Z'/><EventRecordID>45273</EventRecordID><Correlation/><Execution ProcessID='2464' ThreadID='2888'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-09-12 08:06:31.433</Data><Data Name='ProcessGuid'>{8814F3F5-1C07-6500-9600-000000000E03}</Data><Data Name='ProcessId'>4440</Data><Data Name='Image'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='ImageLoaded'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='FileVersion'>-</Data><Data Name='Description'>-</Data><Data Name='Product'>-</Data><Data Name='Company'>-</Data><Data Name='OriginalFileName'>-</Data><Data Name='Hashes'>MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</Data><Data Name='Signed'>false</Data><Data Name='Signature'>-</Data><Data Name='SignatureStatus'>Unavailable</Data><Data Name='User'>ATTACKRANGE\Administrator</Data></EventData></Event>

Required Output Fields

Image
ImageLoaded
dest
loaded_file
loaded_file_path
process_exec
process_guid
process_hash
process_id
process_name
process_path
service_dll_signature_exists
service_dll_signature_verified
signature
signature_id
user_id
vendor_product

Source: GitHub | Version: 4