T1652 Device Driver Discovery
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as
driverquery.exe and the
EnumDeviceDrivers() API function on Windows. Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.
On Linux/macOS, device drivers (in the form of kernel modules) may be visible within
/dev or using utilities such as
|Linux, Windows, macOS
|28 March 2023
|04 May 2023
|HOPLIGHT can enumerate device drivers located in the registry at
|Remsec has a plugin to detect active drivers of some security products.