1. Home
  2. Data Components
  3. Driver Load

Driver Load

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).
ID: DC0079
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
linux:syslog dmesg or syslog for module loads
linux:syslog Driver load events or firmware load failures for hardware devices
WinEventLog:Sysmon EventCode=6

Detection Strategy

ID Name Technique Detected
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0225 Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) T1547.008
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0552 Detection of Windows Service Creation or Modification T1543.003
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0246 Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying T1111
DET0323 Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware T1542.002
DET0167 Firmware Modification via Flash Tool or Corrupted Firmware Upload T1495
DET0368 Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks T1195.003
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002