T1652Techniquediscoveryagent-callable

T1652Device Driver Discovery

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)). Many OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers) On Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)

ATT&CK tactics· 1

Discovery

References

  1. https://attack.mitre.org/techniques/T1652
  2. https://man7.org/linux/man-pages/man8/lsmod.8.html
  3. https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys
  4. https://learn.microsoft.com/windows/win32/api/psapi/nf-psapi-enumdevicedrivers
  5. https://learn.microsoft.com/windows-server/administration/windows-commands/driverquery
  6. https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
  7. https://linux.die.net/man/8/modinfo
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.