T1652 Device Driver Discovery
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.43 Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.2
On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.516
| Item | Value |
|---|---|
| ID | T1652 |
| Sub-techniques | |
| Tactics | TA0007 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 28 March 2023 |
| Last Modified | 04 May 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0376 | HOPLIGHT | HOPLIGHT can enumerate device drivers located in the registry at HKLM\Software\WBEM\WDM.8 |
| S0125 | Remsec | Remsec has a plugin to detect active drivers of some security products.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | OS API Execution |
| DS0024 | Windows Registry | Windows Registry Key Access |
References
-
Kerrisk, M. (2022, December 18). lsmod(8) — Linux manual page. Retrieved March 28, 2023. ↩
-
Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023. ↩
-
Microsoft. (2021, October 12). EnumDeviceDrivers function (psapi.h). Retrieved March 28, 2023. ↩
-
Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. ↩
-
Russell, R. (n.d.). modinfo(8) - Linux man page. Retrieved March 28, 2023. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. ↩
-
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. ↩