Description
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.(Citation: Microsoft Registry Drivers)
On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has queried drivers on the victim device through the command `driverquery`.(Citation: CISA Medus... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) can enumerate device drivers located in the registry at `HKLM\Software\WBEM\WDM`.(Citation: US-CER... |
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) can verify the presence of specific drivers on compromised hosts including Microsoft Print t... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) has a plugin to detect active drivers of some security products.(Citation: Kaspersky ProjectSauron T... |
References
- Kerrisk, M. (2022, December 18). lsmod(8) — Linux manual page. Retrieved March 28, 2023.
- Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.
- Microsoft. (2021, October 12). EnumDeviceDrivers function (psapi.h). Retrieved March 28, 2023.
- Microsoft. (n.d.). driverquery. Retrieved March 28, 2023.
- Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.
- Russell, R. (n.d.). modinfo(8) - Linux man page. Retrieved March 28, 2023.
Frequently Asked Questions
What is T1652 (Device Driver Discovery)?
T1652 is a MITRE ATT&CK technique named 'Device Driver Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose...
How can T1652 be detected?
Detection of T1652 (Device Driver Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1652?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1652?
Known threat groups using T1652 include: Medusa Group.