Module
Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.
Actions
| Action | Description |
|---|---|
| load | A module load event occurs when a PE image (dll or exe) is loaded into a process. |
| unload | When the module is unloaded from memory, upon destruction of the process or by calling an API such as FreeLibrary, the unload event is triggered. |
Fields
|Field|Description|Example|
|—|—|—|
|base_address|A hex address indicating where the module is loaded into the process’s virtual address space|0xFFFFF8000405F000
|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
|hostname|The hostname of the active host, without the domain.|HOST1
|image_path|The file system location of the process image.|C:\path\to\example.exe
|md5_hash|The MD5 hash of the contents of the file located at module_path. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
|module_path|The full file system path to the module loaded into the memory space of the process.|C:\windows\system32\kernel32.exe
|module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|kernel32.exe
|pid|Process ID of the process in which the module is loaded (or unloaded).|738
|sha1_hash|The SHA1 hash of the contents of the file located at image_path.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
|sha256_hash|The SHA256 hash of the contents of the file located at image_path.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
|signer|The name of the organization which signed the module.|Microsoft Corporation
|tid|The thread ID of the thread responsible for the load or unload event.|50
Coverage Map
| base_address | fqdn | hostname | image_path | md5_hash | module_name | module_path | pid | sha1_hash | sha256_hash | signer | tid | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| load | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) | ||||
| unload |