T1652: Device Driver Discovery
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as driverquery.exe
and the EnumDeviceDrivers()
API function on Windows. Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.
On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev
or using utilities such as lsmod
and modinfo
.
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands ( |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Access | Description | Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls (such as |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor processes ( |
---|