A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used[1][2]
The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:
This data component can be collected through the following measures:
Windows
Linux
auditctl -w /lib/modules/ -p rwxa -k driver_load
dmesg | grep "module"
macOS
log show --predicate 'eventMessage contains "kext load"'
SIEM Tools
EDR Solutions
The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:
This data component can be collected through the following measures:
Windows
Linux
auditctl -w /lib/modules/ -p rwxa -k driver_load
dmesg | grep "module"
macOS
log show --predicate 'eventMessage contains "kext load"'
SIEM Tools
EDR Solutions
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
.008 | LSASS Driver |
With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. [3] Utilize the Sysinternals Autoruns/Autorunsc utility [4] to examine loaded drivers associated with the LSA. |
||
.012 | Print Processors |
Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. |
||
Enterprise | T1543 | Create or Modify System Process |
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles. |
|
.003 | Windows Service |
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles. Note: Sysmon Event ID 6 (driver load) provides information on whether the loaded driver was signed with a valid signature (via the |
||
Enterprise | T1561 | Disk Wipe |
Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
|
.001 | Disk Content Wipe |
Monitor for unusual kernel driver installation activity may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
||
.002 | Disk Structure Wipe |
Monitor for unusual kernel driver installation activity may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
||
Enterprise | T1068 | Exploitation for Privilege Escalation |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[5] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges. |
|
Enterprise | T1562 | Impair Defenses |
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
|
.001 | Disable or Modify Tools |
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
||
Enterprise | T1056 | Input Capture |
Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations.
|
|
.001 | Keylogging |
Monitor for unusual kernel driver installation activity |
||
Enterprise | T1111 | Multi-Factor Authentication Interception |
Monitor for use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Similar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver. Analytic 1 - Unexpected kernel driver installations.
|
to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:
This data component can be collected through the following measures:
Windows
Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version
Linux
auditctl -w /lib/modules/ -p rwxa -k driver_metadata
dmesg
to extract kernel logs with driver metadata: dmesg | grep "module"
lsmod
| modinfo <module_name>
macOS
log show --predicate 'eventMessage contains "kext load"' --info
kextstat
SIEM Tools
Vulnerability Management Tools
to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:
This data component can be collected through the following measures:
Windows
Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version
Linux
auditctl -w /lib/modules/ -p rwxa -k driver_metadata
dmesg
to extract kernel logs with driver metadata: dmesg | grep "module"
lsmod
| modinfo <module_name>
macOS
log show --predicate 'eventMessage contains "kext load"' --info
kextstat
SIEM Tools
Vulnerability Management Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1542 | Pre-OS Boot |
Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation |
|
.002 | Component Firmware |
Monitor for unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation |