No ImageLoad events

[pownkel]

Describe the bug I'm experimenting with using sysmon to monitor builds. On Windows, I get plenty of ImageLoad events (event ID 7) when building and running a dotnet package, but I'm not getting any at all on Linux, even if I use dotnet to directly run the built .dll file. Is it expected that I wouldn't see these events on Linux?

To Reproduce

1. Create a new, empty c# console app with Visual Studio
2. Start sysmon with the config below
3. Using the dotnet CLI, build and run the new C# app
4. Open /var/log/syslog, search for "7, and observe that there are no results.

Sysmon version v1.3.2

Distro/kernel version Ubuntu 22.04

Sysmon configuration

<Sysmon schemaversion="4.50">
    <HashAlgorithms>sha256</HashAlgorithms>

    <EventFiltering>
        <RuleGroup name="" groupRelation="or">
            <ImageLoad onmatch="exclude">
                <!-- log all ImageLoad events -->
            </ImageLoad>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

Logs N/A (not much to see other than a lot of events that aren't ImageLoads)

Expected behavior ImageLoad events are logged for .dlls loaded by dotnet

[MarioHewardt]

Hi - thanks for reaching out.

We don't support Image Load (7) yet in Sysmon for Linux. It's on the list of events to be added (no timeline yet). The events we do support today are:

• Service state change (4)
• Service configuration change (16)
• Process create (1)
• Process terminate (5)
• Network connection (3)
• File create (11)
• File delete (23)
• Raw access read (9)
• Access process (10)