T1652: Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows. Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands (lsmod, driverquery, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.

IDDS0024Data source and componentWindows Registry: Windows Registry Key AccessDescription

Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SYSTEM\CurrentControlSet\HardwareProfiles.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor processes (lsmod, driverquery.exe, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.