ImageLoad
This event is logged when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.
Â
Initial attempt to query for ImageLoad events in OrientDB returned 0 results.
When looking into Event Viewer, I was able to see ImageLoad events being logged in Sysmon. This meant that the likely reason why it is not being logged is due to the configuration of Sysmon. Looking into the config codes, we can see that Sysmon is configured to exclude signed Microsoft drivers.
This is to significantly reduce the amount of pointless data to collect and process. The host agent, DFPM.exe, will then have a much smaller set of event to deal with because per ProcessCreate can load quite ALOT of DLLs (ImageLoad). Our main concern is with DLL written to disk that have the "wrong" ownership. Hence, in the clean Windows VM, we are unable to see any ImageLoad events.
Â
Sysmon config files:
Â