SOC Event Lookup
Event ID 7ImageP2

Sysmon Event ID 7: Image loaded

Sysmon Event ID 7 records every DLL or executable image loaded into a process's address space, capturing the loading process, the loaded file path, its hashes, and its Authenticode signature status.

Applicable version
Sysmon 1.0 and later (ImageLoad must be enabled in Sysmon config)
Last reviewed
2026-07-12

Trigger Scenarios

Sysmon generates Event ID 7 on every LoadLibrary-family call when ImageLoad monitoring is enabled. Volume is extremely high on active systems; Sysmon configurations almost always filter this event down to high-value targets such as lsass.exe, security tools, or untrusted load paths.

Key Fields

ImageLoaded

Full path of the DLL or image being loaded. A load from %TEMP%, %APPDATA%, %USERPROFILE%, or a UNC path into a privileged process is the central indicator of DLL hijacking or side-loading.

SignatureStatus / Signed

Authenticode validation result. Signed=false or SignatureStatus other than "Valid" for a DLL loaded into a security-sensitive process (lsass.exe, svchost.exe, explorer.exe) means an unsigned image entered a high-privilege address space.

Image

The process loading the DLL. lsass.exe loading a non-system DLL, or a signed Windows binary loading from an unexpected path, are the archetypal patterns for credential-access tooling and defense-evasion via DLL side-loading.

OriginalFileName

The filename embedded in the DLL's version resource. A mismatch between OriginalFileName and the on-disk filename (e.g., a file named version.dll whose OriginalFileName is calc.dll) reveals a renamed masquerading DLL.

Hashes

SHA256/IMPHASH of the loaded image. Cross-reference against threat-intelligence blocklists and LOLBins lists to identify known-malicious or abusable libraries.

Common False Positives

  • Software installers temporarily extract DLLs to %TEMP% before loading them; short-lived loads during installation are generally benign.
  • Some legitimate applications load DLLs from user profile directories by design (e.g., browser plugins, certain Java JREs).
  • Developer tools and debuggers load unsigned DLLs for legitimate instrumentation purposes.

Related Events

MITRE ATT&CK Mapping

  • T1574.001Hijack Execution Flow: DLL Search Order Hijacking
  • T1055.001Process Injection: Dynamic-link Library Injection

Detection Notes

T1574.001 DLL hijacking is concrete when Image is a signed system binary but ImageLoaded is an unsigned DLL from C:\\Users\\, C:\\ProgramData\\, or C:\\Temp\\. Sysmon Event 7 is disabled by default, so collection scope must be explicit.

Microsoft Sentinel KQL
Sysmon
| where EventID == 7
| where Image endswith "\\lsass.exe" and SignatureStatus != "Valid"
| project TimeGenerated, Computer, Image, ImageLoaded, Signed, SignatureStatus, Hashes
Splunk SPL
index=sysmon EventCode=7 Image="*\lsass.exe" SignatureStatus!=Valid
| table _time, host, Image, ImageLoaded, Signed, SignatureStatus, Hashes
Sample Log
UtcTime: 2026-07-12 11:03:45.882
ProcessGuid: {11111111-2222-3333-4444-555555555555}
ProcessId: 812
Image: C:\Windows\System32\lsass.exe
ImageLoaded: C:\Windows\Temp\dbghelp.dll
Hashes: SHA256=REDACTED
Signed: false
Signature: -
SignatureStatus: Unsigned
User: NT AUTHORITY\SYSTEM
OriginalFileName: dbghelp.dll

Source