Sysmon Event ID 7: Image loaded
Sysmon Event ID 7 records every DLL or executable image loaded into a process's address space, capturing the loading process, the loaded file path, its hashes, and its Authenticode signature status.
- Applicable version
- Sysmon 1.0 and later (ImageLoad must be enabled in Sysmon config)
- Last reviewed
- 2026-07-12
Trigger Scenarios
Sysmon generates Event ID 7 on every LoadLibrary-family call when ImageLoad monitoring is enabled. Volume is extremely high on active systems; Sysmon configurations almost always filter this event down to high-value targets such as lsass.exe, security tools, or untrusted load paths.
Key Fields
ImageLoaded
Full path of the DLL or image being loaded. A load from %TEMP%, %APPDATA%, %USERPROFILE%, or a UNC path into a privileged process is the central indicator of DLL hijacking or side-loading.
SignatureStatus / Signed
Authenticode validation result. Signed=false or SignatureStatus other than "Valid" for a DLL loaded into a security-sensitive process (lsass.exe, svchost.exe, explorer.exe) means an unsigned image entered a high-privilege address space.
Image
The process loading the DLL. lsass.exe loading a non-system DLL, or a signed Windows binary loading from an unexpected path, are the archetypal patterns for credential-access tooling and defense-evasion via DLL side-loading.
OriginalFileName
The filename embedded in the DLL's version resource. A mismatch between OriginalFileName and the on-disk filename (e.g., a file named version.dll whose OriginalFileName is calc.dll) reveals a renamed masquerading DLL.
Hashes
SHA256/IMPHASH of the loaded image. Cross-reference against threat-intelligence blocklists and LOLBins lists to identify known-malicious or abusable libraries.
Common False Positives
- Software installers temporarily extract DLLs to %TEMP% before loading them; short-lived loads during installation are generally benign.
- Some legitimate applications load DLLs from user profile directories by design (e.g., browser plugins, certain Java JREs).
- Developer tools and debuggers load unsigned DLLs for legitimate instrumentation purposes.
Related Events
MITRE ATT&CK Mapping
- T1574.001Hijack Execution Flow: DLL Search Order Hijacking
- T1055.001Process Injection: Dynamic-link Library Injection
Detection Notes
T1574.001 DLL hijacking is concrete when Image is a signed system binary but ImageLoaded is an unsigned DLL from C:\\Users\\, C:\\ProgramData\\, or C:\\Temp\\. Sysmon Event 7 is disabled by default, so collection scope must be explicit.
Sysmon
| where EventID == 7
| where Image endswith "\\lsass.exe" and SignatureStatus != "Valid"
| project TimeGenerated, Computer, Image, ImageLoaded, Signed, SignatureStatus, Hashesindex=sysmon EventCode=7 Image="*\lsass.exe" SignatureStatus!=Valid
| table _time, host, Image, ImageLoaded, Signed, SignatureStatus, HashesUtcTime: 2026-07-12 11:03:45.882
ProcessGuid: {11111111-2222-3333-4444-555555555555}
ProcessId: 812
Image: C:\Windows\System32\lsass.exe
ImageLoaded: C:\Windows\Temp\dbghelp.dll
Hashes: SHA256=REDACTED
Signed: false
Signature: -
SignatureStatus: Unsigned
User: NT AUTHORITY\SYSTEM
OriginalFileName: dbghelp.dll