Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as
driverquery.exe and the
EnumDeviceDrivers() API function on Windows. Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands (
|DS0009||Process||OS API Execution||
Monitor for API calls (such as
Monitor processes (
|DS0024||Windows Registry||Windows Registry Key Access||
Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under