Skip to content

DS0027 Driver

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used12

Item Value
ID DS0027
Platforms Linux, Windows, macOS
Collection Layers Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Domain ID Name
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.008 LSASS Driver
enterprise T1547.012 Print Processors
enterprise T1543 Create or Modify System Process
enterprise T1543.003 Windows Service
enterprise T1561 Disk Wipe
enterprise T1561.001 Disk Content Wipe
enterprise T1561.002 Disk Structure Wipe
enterprise T1068 Exploitation for Privilege Escalation
enterprise T1562 Impair Defenses
enterprise T1562.001 Disable or Modify Tools
enterprise T1056 Input Capture
enterprise T1056.001 Keylogging
enterprise T1111 Multi-Factor Authentication Interception

Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Domain ID Name
enterprise T1542 Pre-OS Boot
enterprise T1542.002 Component Firmware

References

  1. Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021. 

  2. Viviano, A. (2021, August 17). Getting started with Windows drivers: User mode and kernel mode. Retrieved September 24, 2021. 

  3. Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017. 

  4. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  5. Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.