T1652
Device Driver Discovery
Description from ATT&CK
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).
Many OS utilities may provide information about local device drivers, such as
driverquery.exeand theEnumDeviceDrivers()API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.(Citation: Microsoft Registry Drivers)On Linux/macOS, device drivers (in the form of kernel modules) may be visible within
/devor using utilities such aslsmodandmodinfo.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)
Atomic Tests
- Atomic Test #1: Device Driver Discovery
- Atomic Test #2: Device Driver Discovery (Linux)
- Atomic Test #3: Enumerate Kernel Driver Files (Linux)
- Atomic Test #4: List loaded kernel extensions (macOS)
- Atomic Test #5: Find Kernel Extensions (macOS)
Atomic Test #1: Device Driver Discovery
Displays a list of installed device drivers on the local computer and their properties. Threat actors use this command to enumerate the existing drivers on the computer. Parameters: /v /fo list - Displays verbose output in a list format - the /v parameter is not valid for signed drivers /si /fo list - Provides information about signed drivers and outputs it in a list format
Supported Platforms: Windows
auto_generated_guid: 235b30a2-e5b1-441f-9705-be6231c88ddd
Attack Commands: Run with powershell!
driverquery /v /fo list
driverquery /si /fo listAtomic Test #2: Device Driver Discovery (Linux)
Displays a list of loaded kernel modules on a Linux system, which is used to enumerate drivers.
Supported Platforms: Linux
auto_generated_guid: d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
Attack Commands: Run with bash!
lsmodAtomic Test #3: Enumerate Kernel Driver Files (Linux)
Finds and lists all kernel driver files on a Linux system in order to provide a broader view of available drivers, not just loaded ones.
Supported Platforms: Linux
auto_generated_guid: 13c0fef5-9be9-4d7f-9c6b-901624e53770
Attack Commands: Run with bash!
find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"Atomic Test #4: List loaded kernel extensions (macOS)
Displays a list of loaded kernel extensions (kexts) on a macOS system.
Supported Platforms: macOS
auto_generated_guid: 71eab73d-5d7d-4681-9a72-7873489a5b85
Attack Commands: Run with bash!
kextstatAtomic Test #5: Find Kernel Extensions (macOS)
Searches for kernel extension (kext) files on a macOS system.
Supported Platforms: macOS
auto_generated_guid: c63bbe52-6f17-4832-b221-f07ba8b1736f
Attack Commands: Run with bash!
kextfindAtomic test(s) for this technique last updated: 2025-12-13 04:55:41 UTC