Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.[1][2] Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.[3]

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.[4][5][6]

ID: T1652
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Linux, Windows, macOS
Contributors: ESET
Version: 1.0
Created: 28 March 2023
Last Modified: 04 May 2023

Procedure Examples

ID Name Description

HOPLIGHT can enumerate device drivers located in the registry at HKLM\Software\WBEM\WDM.[7]

S0125 Remsec

Remsec has a plugin to detect active drivers of some security products.[8]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands (lsmod, driverquery, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.

DS0009 Process OS API Execution

Monitor for API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.

Process Creation

Monitor processes (lsmod, driverquery.exe, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.

DS0024 Windows Registry Windows Registry Key Access

Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SYSTEM\CurrentControlSet\HardwareProfiles.[3]