Sysmon Event ID 6: Driver loaded
Sysmon Event ID 6 records that a kernel driver was loaded, including the driver's image path, hashes, and Authenticode signature status.
- Applicable version
- Sysmon 2.0 and later
- Last reviewed
- 2026-07-12
Trigger Scenarios
Sysmon logs Event ID 6 whenever the kernel loads a driver, whether at boot from a legitimate hardware or security vendor, or later through a service installation or an exploited signed driver used to gain kernel access (Bring Your Own Vulnerable Driver, BYOVD).
Key Fields
SignatureStatus
Sysmon's verified Authenticode validation result. A value other than "Valid" (for example "Unsigned" or "Invalid") on a driver load is the direct signal that the kernel accepted unsigned or improperly signed code, which standard Driver Signature Enforcement should have blocked unless test signing or a policy exception is active.
Signed
Boolean companion to SignatureStatus; Signed=false paired with a driver loading from outside %SystemRoot%\System32\drivers is materially higher risk than an unsigned driver in a standard location.
Hashes
SHA256/IMPHASH of the driver image. Match this value against known-vulnerable driver hash lists (LOLDrivers) to catch signed-but-abusable drivers that pass signature checks yet are documented BYOVD vectors.
ImageLoaded
Full path of the driver file. A driver loading from a user-writable path such as %TEMP% or %APPDATA% instead of the driver store is inconsistent with legitimate installation.
Common False Positives
- New hardware installations and Windows Update driver rollouts generate legitimate Event ID 6 records for signed drivers from standard paths.
- Security and virtualization vendors ship their own signed kernel drivers that load at every boot.
- Test-signed drivers on developer workstations with test signing mode enabled will show SignatureStatus other than Valid without malicious intent.
Related Events
MITRE ATT&CK Mapping
- T1547.006Boot or Logon Autostart Execution: Kernel Modules and Extensions
Detection Notes
DriverLoad is high risk when SignatureStatus is Invalid or Unavailable and ImageLoaded is outside C:\\Windows\\System32\\drivers\\, or when Hashes match a known vulnerable driver. T1547.006 kernel-module abuse can then bypass user-mode controls.
Sysmon
| where EventID == 6
| where SignatureStatus != "Valid"
| project TimeGenerated, Computer, ImageLoaded, Signed, SignatureStatus, Hashesindex=sysmon EventCode=6 SignatureStatus!=Valid
| table _time, host, ImageLoaded, Signed, SignatureStatus, HashesUtcTime: 2026-07-12 08:41:19.005
ImageLoaded: C:\Windows\Temp\gdrv.sys
Hashes: SHA256=REDACTED
Signed: false
Signature: -
SignatureStatus: Unsigned