Driver

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used[1][2]

ID: DS0027
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Driver: Driver Load

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).

This data component can be collected through the following measures:

Windows

  • Sysmon Logs:
    • Event ID 6: Captures driver loading activity, including file path, hashes, and signature information.
    • Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events
  • Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events.

Linux

  • Auditd: Configure audit rules to capture driver loading events: auditctl -w /lib/modules/ -p rwxa -k driver_load
  • Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: dmesg | grep "module"
  • Syslog or journald: Review logs for module insertion or removal activities.

macOS

  • Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads:log show --predicate 'eventMessage contains "kext load"'
  • Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework.

SIEM Tools

  • Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk).
  • Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers.

EDR Solutions

  • Use EDR tools to detect and alert on anomalous driver loading activity.

Driver: Driver Load

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).

This data component can be collected through the following measures:

Windows

  • Sysmon Logs:
    • Event ID 6: Captures driver loading activity, including file path, hashes, and signature information.
    • Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events
  • Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events.

Linux

  • Auditd: Configure audit rules to capture driver loading events: auditctl -w /lib/modules/ -p rwxa -k driver_load
  • Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: dmesg | grep "module"
  • Syslog or journald: Review logs for module insertion or removal activities.

macOS

  • Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads:log show --predicate 'eventMessage contains "kext load"'
  • Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework.

SIEM Tools

  • Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk).
  • Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers.

EDR Solutions

  • Use EDR tools to detect and alert on anomalous driver loading activity.
Domain ID Name Detects
Enterprise T1547 Boot or Logon Autostart Execution

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.008 LSASS Driver

With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. [3] Utilize the Sysinternals Autoruns/Autorunsc utility [4] to examine loaded drivers associated with the LSA.

.012 Print Processors

Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

Enterprise T1543 Create or Modify System Process

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

.003 Windows Service

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

Note: Sysmon Event ID 6 (driver load) provides information on whether the loaded driver was signed with a valid signature (via the Signature and SignatureStatus fields). As such, one way to help reduce the volume of alerts and false positives associated with this event is to filter and exclude any driver load events signed by common and legitimate publishers like Microsoft.

Enterprise T1561 Disk Wipe

Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.001 Disk Content Wipe

Monitor for unusual kernel driver installation activity may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.002 Disk Structure Wipe

Monitor for unusual kernel driver installation activity may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Enterprise T1068 Exploitation for Privilege Escalation

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[5] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

Enterprise T1562 Impair Defenses

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

.001 Disable or Modify Tools

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

Enterprise T1056 Input Capture

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

.001 Keylogging

Monitor for unusual kernel driver installation activity

Enterprise T1111 Multi-Factor Authentication Interception

Monitor for use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Similar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver.

Analytic 1 - Unexpected kernel driver installations.

(index=security sourcetype="WinEventLog:System" EventCode=7045) OR(index=os sourcetype="linux_audit" action="add" path="/lib/modules/*/kernel/drivers/" OR path="/etc/udev/rules.d/") OR(index=os sourcetype="macos_secure" message="kextload")

Driver: Driver Metadata

to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:

  • Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA).
  • Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database.
  • Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system.
  • Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability.
  • Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.

This data component can be collected through the following measures:

Windows

  • Windows Event Logs:
    • Event ID 3000-3006: Logs metadata about driver signature validation.
    • Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement.
  • Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6).
  • Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics.
  • PowerShell: Use commands to retrieve metadata about installed drivers:Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version

Linux

  • Auditd: Configure audit rules to monitor driver interactions and collect metadata: auditctl -w /lib/modules/ -p rwxa -k driver_metadata
  • dmesg: Use dmesg to extract kernel logs with driver metadata: dmesg | grep "module"
  • lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: lsmod | modinfo <module_name>

macOS

  • Unified Logs: Collect metadata from system logs about kernel extensions (kexts): log show --predicate 'eventMessage contains "kext load"' --info
  • kextstat: Command to retrieve information about loaded kernel extensions: kextstat

SIEM Tools

  • Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.

Vulnerability Management Tools

  • Use these tools to collect metadata about vulnerable drivers across enterprise systems.

Driver: Driver Metadata

to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:

  • Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA).
  • Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database.
  • Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system.
  • Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability.
  • Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.

This data component can be collected through the following measures:

Windows

  • Windows Event Logs:
    • Event ID 3000-3006: Logs metadata about driver signature validation.
    • Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement.
  • Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6).
  • Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics.
  • PowerShell: Use commands to retrieve metadata about installed drivers:Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version

Linux

  • Auditd: Configure audit rules to monitor driver interactions and collect metadata: auditctl -w /lib/modules/ -p rwxa -k driver_metadata
  • dmesg: Use dmesg to extract kernel logs with driver metadata: dmesg | grep "module"
  • lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: lsmod | modinfo <module_name>

macOS

  • Unified Logs: Collect metadata from system logs about kernel extensions (kexts): log show --predicate 'eventMessage contains "kext load"' --info
  • kextstat: Command to retrieve information about loaded kernel extensions: kextstat

SIEM Tools

  • Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.

Vulnerability Management Tools

  • Use these tools to collect metadata about vulnerable drivers across enterprise systems.
Domain ID Name Detects
Enterprise T1542 Pre-OS Boot

Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation

.002 Component Firmware

Monitor for unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation

References