Sysmon Event ID 6

SourceSysmon

6: Driver loaded

This is an event from Sysmon.

On this page

The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

Free Security Log Resources by Randy

Description Fields in 6

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ImageLoaded
  • Hashes
  • Signed
  • Signature
  • SignatureStatus

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 6

Driver loaded:
UtcTime: 2017-04-28 21:33:47.345
ImageLoaded: C:\Windows\System32\drivers\usbscan.sys
Hashes: SHA256=D97DB59C9CAE2B8B33C707E8CEA7A65BF88712842CC715D270F7432A99D21BB6
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid

 

Event XML:
 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>6</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>6</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-04-28T21:33:47.350855600Z" />
        <EventRecordID>2864</EventRecordID>
        <Correlation />
        <Execution ProcessID="3216" ThreadID="3980" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-04-28 21:33:47.345</Data>
        <Data Name="ImageLoaded">C:\Windows\System32\drivers\usbscan.sys</Data>
        <Data Name="Hashes">SHA256=D97DB59C9CAE2B8B33C707E8CEA7A65BF88712842CC715D270F7432A99D21BB6</Data>
        <Data Name="Signed">true</Data>
        <Data Name="Signature">Microsoft Windows</Data>
        <Data Name="SignatureStatus">Valid</Data>
    </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!