Defender-DeviceImageLoadEvents

2 ActionTypes

ActionType	Title
any	Image load (any)
ImageLoaded	Image loaded

any: Image load (any)

Table: DeviceImageLoadEvents

Description

Image load (any)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ActionType`
`FileName`
`FolderPath`
`SHA256`
`InitiatingProcessFileName`

Detection Patterns #

Stealth: DLL

Defender-DeviceImageLoadEvents any: Image loadORSysmon Event ID 7: Image loaded

1 rule

Kusto

DLL Hijacking: Loading from an Unusual Directory (source)

Cyb3rMonk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`FileCreated`	2 rules	kusto
`EventType`	in	`FileModified`	2 rules	kusto
`EventType`	in	`FileRenamed`	1 rule	kusto
`GlobalPrevalence`	is_null		1 rule	kusto
`GlobalPrevalence`	lt	`200`	2 rules	kusto
`IntegrityLevel`	in	`High`	1 rule	kusto, splunk
`IntegrityLevel`	in	`System`	1 rule	kusto, splunk
`RemoteIPType`	eq	`Public`	1 rule	kusto
`diff`	ne	`[]`	1 rule	kusto
`parent_process_name`	contains	`regsvr32.exe`	1 rule	kusto
`parent_process_name`	contains	`rundll32.exe`	1 rule	kusto
`parent_process_name`	in	`cscript.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	in	`mshta.exe`	1 rule	elastic, kusto
`parent_process_name`	in	`wscript.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Hijack Execution Flow - DLL Side-Loading source medium: This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.
Detect .NET runtime being loaded in JScript for code execution source medium: This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
Regsvr32 Rundll32 Image Loads Abnormal Extension source high: This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/

Show 2 more (5 total)

PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matches ImageLoaded: Image loaded
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches ImageLoaded: Image loaded

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceimageloadevents/

ImageLoaded: Image loaded

Table: DeviceImageLoadEvents

Description

Image loaded

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA256`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`GlobalPrevalence`	lt	`100`	2 rules	kusto
`GlobalPrevalence`	lt	`200`	1 rule	kusto
`EventType`	in	`FileRenamed`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).↳ also matches any: Image load (any)
Suspicious use of CPL file source: This query identifies .cpl files being loaded and verifies if the corresponding file is suspicious by looking at the signature and global prevalence.
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches any: Image load (any)

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceimageloadevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender-DeviceImageLoadEvents

any: Image load (any)

Description

Fields #

Detection Patterns #

Stealth: DLL

Kusto

Common Indicators #

Detection Rules #

Kusto #

References #

ImageLoaded: Image loaded

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

Keyboard shortcuts

Search operators