Матрица MITRE ATT&CK

Technique on mitre.org

T1652: Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows. Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands (`lsmod`, `driverquery`, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Access	Description	Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under `HKLM\SYSTEM\CurrentControlSet\Services` and `HKLM\SYSTEM\CurrentControlSet\HardwareProfiles`.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls (such as `EnumDeviceDrivers()`) that may attempt to gather information about local device drivers.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor processes (`lsmod`, `driverquery.exe`, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands (`lsmod`, `driverquery`, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.
DS0024	Windows Registry: Windows Registry Key Access	Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under `HKLM\SYSTEM\CurrentControlSet\Services` and `HKLM\SYSTEM\CurrentControlSet\HardwareProfiles`.
DS0009	Process: OS API Execution	Monitor for API calls (such as `EnumDeviceDrivers()`) that may attempt to gather information about local device drivers.
DS0009	Process: Process Creation	Monitor processes (`lsmod`, `driverquery.exe`, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.