EDR: What generates a Modload event?
search cancel

EDR: What generates a Modload event?

book

Article ID: 288062

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What actions generate a modload event?

Environment

  • EDR: All Supported Versions

Resolution

A modinfo event can be generated in two ways:
  1. Executing a binary of any kind.
and
  1. If a binary executes and loads another sys, exe, dll or other binary file.
For example, if you rename powershell.exe to something else, and then execute it, it will store a modinfo event for that (based on #1 above). If that powershell execution also loads another exe, dll, etc, then it will generate a second modinfo event (based on #2 above).
Powered by Wolken Software