Detection rules › By event
Microsoft-Windows-Sysmon Event ID 7
Sigma (123)
- Abusable DLL Potential Sideloading From Suspicious Location
- Amsi.DLL Load By Uncommon Process
- Amsi.DLL Loaded Via LOLBIN Process
- APT PRIVATELOG Image Load Pattern
- Aruba Network Service Potential DLL Sideloading
- BaaUpdate.exe Suspicious DLL Load
- BITS Client BitsProxy DLL Loaded By Uncommon Process
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
- CLR DLL Loaded Via Office Applications
- CredUI.DLL Loaded By Uncommon Process
- Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Diamond Sleet APT DLL Sideloading Indicators
- DLL Load By System Process From Suspicious Locations
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- DLL Names Used By SVR For GraphicalProton Backdoor
- DLL Sideloading Of ShellChromeAPI.DLL
- DotNET Assembly DLL Loaded Via Office Application
- DotNet CLR DLL Loaded By Scripting Applications
- Fax Service DLL Search Order Hijack
- FoggyWeb Backdoor DLL Loading
- GAC DLL Loaded Via Office Applications
- HackTool - SharpEvtMute DLL Load
- HackTool - SILENTTRINITY Stager DLL Load
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Katz Stealer DLL Loaded
- Lazarus APT DLL Sideloading Activity
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process
- Malicious DLL Load By Compromised 3CXDesktopApp
- Microsoft Excel Add-In Loaded
- Microsoft Excel Add-In Loaded From Uncommon Location
- Microsoft Office DLL Sideload
- Microsoft VBA For Outlook Addin Loaded Via Outlook
- Microsoft Word Add-In Loaded
- MMC Loading Script Engines DLLs
- PCRE.NET Package Image Load
- Pingback Backdoor DLL Loading Activity
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading
- Potential appverifUI.DLL Sideloading
- Potential AVKkid.DLL Sideloading
- Potential Azure Browser SSO Abuse
- Potential CCleanerDU.DLL Sideloading
- Potential CCleanerReactivator.DLL Sideloading
- Potential Chrome Frame Helper DLL Sideloading
- Potential COLDSTEEL Persistence Service DLL Load
- Potential CSharp Streamer RAT Loading .NET Executable Image
- Potential CVE-2024-35250 Exploitation Activity
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential DLL Sideloading Of DbgModel.DLL
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential DLL Sideloading Of MpSvc.DLL
- Potential DLL Sideloading Of MsCorSvc.DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential DLL Sideloading Using Coregen.exe
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via comctl32.dll
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via VMware Xfer
- Potential EACore.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Potential Goopdate.DLL Sideloading
- Potential Iviewers.DLL Sideloading
- Potential JLI.dll Side-Loading
- Potential Libvlc.DLL Sideloading
- Potential Mfdetours.DLL Sideloading
- Potential Mpclient.DLL Sideloading
- Potential Python DLL SideLoading
- Potential Raspberry Robin Aclui Dll SideLoading
- Potential Rcdll.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential RoboForm.DLL Sideloading
- Potential ShellDispatch.DLL Sideloading
- Potential SmadHook.DLL Sideloading
- Potential SolidPDFCreator.DLL Sideloading
- Potential System DLL Sideloading From Non System Locations
- Potential Vcruntime140 DLL Sideloading
- Potential Vivaldi_elf.DLL Sideloading
- Potential Waveedit.DLL Sideloading
- Potential Wazuh Security Platform DLL Sideloading
- Potential WWlib.DLL Sideloading
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- PowerShell Core DLL Loaded By Non PowerShell Process
- PowerShell Core DLL Loaded Via Office Application
- Python Image Load By Non-Python Process
- Remote DLL Load Via Rundll32.EXE
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- Suspicious Unsigned Thor Scanner Execution
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- Suspicious Volume Shadow Copy Vssapi.dll Load
- Suspicious WSMAN Provider Image Loads
- System Control Panel Item Loaded From Uncommon Location
- System Drawing DLL Load
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- Third Party Software DLL Sideloading
- Time Travel Debugging Utility Usage - Image
- Trusted Path Bypass via Windows Directory Spoofing
- UAC Bypass Using Iscsicpl - ImageLoad
- UAC Bypass With Fake DLL
- Unsigned .node File Loaded
- Unsigned DLL Loaded by Windows Utility
- Unsigned Image Loaded Into LSASS Process
- Unsigned Mfdetours.DLL Sideloading
- Unsigned Module Loaded by ClickOnce Application
- VBA DLL Loaded Via Office Application
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
- Windows Spooler Service Suspicious Binary Load
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Module Loaded By Uncommon Process
- WMI Persistence - Command Line Event Consumer
- WMIC Loading Scripting Libraries
- Wmiprvse Wbemcomn DLL Hijack
Elastic (20)
- Compression DLL Loaded by Unusual Process
- Image Loaded with Invalid Signature
- Outbound Scheduled Task Activity via PowerShell
- Potential Command and Control via Internet Explorer
- Potential Credential Access via Renamed COM+ Services DLL
- Potential Credential Access via Trusted Developer Utility
- Potential Enumeration via Active Directory Web Service
- Potential Masquerading as VLC DLL
- Potential Windows Session Hijacking via CcmExec
- Remote XSL Script Execution via COM
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious Module Loaded by LSASS
- Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
- Suspicious WMIC XSL Script Execution
- Unsigned DLL Loaded by a Trusted Process
- Unsigned DLL Loaded by Svchost
- Unsigned DLL Side-Loading from a Suspicious Folder
- Untrusted DLL Loaded by Azure AD Connect Authentication Agent
- Veeam Backup Library Loaded by Unusual Process
- WPS Office Exploitation via DLL Hijack
Splunk (38)
- CMLUA Or CMSTPLUA UAC Bypass
- Loading Of Dynwrapx Module
- MS Scripting Process Loading Ldap Module
- MS Scripting Process Loading WMI Module
- MSI Module Loaded by Non-System Binary
- Potential Follina_DogWalk Activity - mdst.exe (Sysmon)
- Spoolsv Suspicious Loaded Modules
- Sunburst Correlation DLL and Network Event
- UAC Bypass MMC Load Unsigned Dll
- UAC Bypass With Colorui COM Object
- Wbemprox COM Object Execution
- Windows BitDefender Submission Wizard DLL Sideloading
- Windows Credentials Access via VaultCli Module
- Windows Devtunnels Image Loaded
- Windows DLL Module Loaded in Temp Dir
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows DLL Side-Loading In Calc
- Windows Executable in Loaded Modules
- Windows Gather Victim Identity SAM Info
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Input Capture Using Credential UI Dll
- Windows InstallUtil Credential Theft
- Windows Known Abused DLL Loaded Suspiciously
- Windows Known GraphicalProton Loaded Modules
- Windows MMC Loaded Script Engine DLL
- Windows NetSupport RMM DLL Loaded By Uncommon Process
- Windows Office Product Loaded MSHTML Module
- Windows Office Product Loading Taskschd DLL
- Windows Office Product Loading VBE7 DLL
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Remote Image Load
- Windows Scheduled Task DLL Module Loaded
- Windows SpeechRuntime COM Hijacking DLL Load
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Unsigned DLL Side-Loading
- Windows Unsigned DLL Side-Loading In Same Process Path
- Windows Unsigned MS DLL Side-Loading
- Windows Unusual Process Load Mozilla NSS-Mozglue Module
Kusto (8)
- COM Event System Loading New DLL
- Detect .NET runtime being loaded in JScript for code execution
- DLL Hijacking: Loading from an Unusual Directory
- Hijack Execution Flow - DLL Side-Loading
- PowerShell without powershell.exe
- Regsvr32 Rundll32 Image Loads Abnormal Extension
- Suspicious use of CPL file
- WinRM Plugin Lateral Movement