A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used[1][2]
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
| .008 | LSASS Driver |
With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. [3] Utilize the Sysinternals Autoruns/Autorunsc utility [4] to examine loaded drivers associated with the LSA. |
||
| .012 | Print Processors |
Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. |
||
| Enterprise | T1543 | Create or Modify System Process |
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles. |
|
| .003 | Windows Service |
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles. Note: Sysmon Event ID 6 (driver load) provides information on whether the loaded driver was signed with a valid signature (via the |
||
| Enterprise | T1561 | Disk Wipe |
Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
|
| .001 | Disk Content Wipe |
Monitor for unusual kernel driver installation activity may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
||
| .002 | Disk Structure Wipe |
Monitor for unusual kernel driver installation activity may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
||
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[5] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges. |
|
| Enterprise | T1562 | Impair Defenses |
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
|
| .001 | Disable or Modify Tools |
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
||
| Enterprise | T1056 | Input Capture |
Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations.
|
|
| .001 | Keylogging |
Monitor for unusual kernel driver installation activity |
||
| Enterprise | T1111 | Multi-Factor Authentication Interception |
Monitor for use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Similar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver. Analytic 1 - Unexpected kernel driver installations.
|
|
Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking
Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1542 | Pre-OS Boot |
Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation |
|
| .002 | Component Firmware |
Monitor for unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation |
||