Which SIEM platforms have a T1652 detection rule?

df00tech provides T1652 (Device Driver Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Device Driver Discovery (T1652)?

Detecting Device Driver Discovery requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1652 detection?

The T1652 detection is rated medium severity with medium confidence.

What are common false positives for T1652?

Common false positives for T1652 include: System administrators running driverquery.exe manually for troubleshooting or asset inventory; IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans; Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup).

T1652: Device Driver Discovery — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let DriverDiscoveryBinaries = dynamic(["driverquery.exe", "lsmod", "modinfo"]);
let DriverDiscoveryKeywords = dynamic(["driverquery", "lsmod", "modinfo", "EnumDeviceDrivers", "WBEM\\WDM", "CurrentControlSet\\Services"]);
let ExcludedSystemProcesses = dynamic(["MsMpEng.exe", "SenseIR.exe", "MsSense.exe", "CSFalconService.exe"]);
// Process-based driver discovery
let ProcessBasedDiscovery = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (DriverDiscoveryBinaries)
    or ProcessCommandLine has_any (DriverDiscoveryKeywords)
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName =~ "svchost.exe" and AccountName == "SYSTEM" and ProcessCommandLine !has "-fo")
| extend DetectionSource = "ProcessExecution"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, DetectionSource;
// Registry-based driver discovery (HOPLIGHT pattern)
let RegistryBasedDiscovery = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where RegistryKey has_any ("SOFTWARE\\WBEM\\WDM", "CurrentControlSet\\Services", "CurrentControlSet\\Control\\Class")
| where ActionType in ("RegistryValueQueried", "RegistryKeyQueried")
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "WmiPrvSE.exe") and AccountName == "SYSTEM")
| extend DetectionSource = "RegistryQuery"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine = "", FileName = InitiatingProcessFileName, ProcessCommandLine = RegistryKey, FolderPath = RegistryKey, DetectionSource;
// Union results and score
ProcessBasedDiscovery
| union RegistryBasedDiscovery
| extend RiskScore = case(
    InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe") and AccountName != "SYSTEM", 80,
    InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe") and AccountName == "SYSTEM", 60,
    DetectionSource == "RegistryQuery" and InitiatingProcessFileName !in~ ("explorer.exe", "mmc.exe"), 70,
    true(), 40
  )
| sort by TimeGenerated desc

Detects device driver discovery via process execution of driverquery.exe, lsmod, or modinfo, and registry enumeration of driver-related keys under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SOFTWARE\WBEM\WDM. Combines process and registry telemetry from Microsoft Defender for Endpoint, scoring events by initiating process risk to surface likely malicious activity. Suppresses known legitimate security product access patterns.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)
Windows Device Manager (devmgmt.msc) and associated mmc.exe processes performing routine driver enumeration
Endpoint security platforms querying driver lists to detect vulnerable or malicious drivers

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_image=lower(Image), lower_cmdline=lower(CommandLine)
| where match(lower_image, "(driverquery\.exe|lsmod|modinfo)") OR
    match(lower_cmdline, "(driverquery|lsmod|modinfo|enumdevicedrivers|wbem\\\\wdm|currentcontrolset\\\\services)")
| where NOT match(lower_image, "(msmpeng\.exe|mssense\.exe|csfalconservice\.exe|senseir\.exe)")
| where NOT (match(lower_image, "svchost\.exe") AND User="NT AUTHORITY\\SYSTEM" AND NOT match(lower_cmdline, "-fo"))
| eval risk_score=case(
    match(lower_image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)") AND NOT match(User, "SYSTEM"), 80,
    match(lower_image, "(powershell\.exe|cmd\.exe)") AND match(User, "SYSTEM"), 60,
    match(lower_image, "driverquery\.exe") AND match(lower_image, "(cmd\.exe|powershell)"), 70,
    true(), 40
  )
| eval detection_context=case(
    match(lower_cmdline, "wbem\\\\wdm"), "HOPLIGHT Registry Pattern",
    match(lower_image, "driverquery\.exe"), "Native Driver Enumeration",
    match(lower_cmdline, "lsmod"), "Linux Kernel Module Discovery",
    match(lower_cmdline, "modinfo"), "Kernel Module Info Gathering",
    true(), "General Driver Discovery"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, risk_score, detection_context
| sort -risk_score, -_time

Detects driver discovery activity via Sysmon process creation events (EventCode=1) for driverquery.exe, lsmod, modinfo, and command lines referencing driver registry paths or API function names. Scores events by parent process risk and applies exclusions for known security vendor processes. Labels detections with contextual tags to assist triage.

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Administrative scripts running driverquery.exe as part of scheduled hardware audits
Software deployment platforms checking for driver prerequisites before pushing updates
IT helpdesk personnel running driverquery for troubleshooting printing or USB device issues
CI/CD pipelines or build systems that enumerate device capabilities for hardware-specific testing

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1652*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for Device Driver Discovery (T1652). Identifies device driver discovery activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Device Driver Discovery (T1652). Queries QRadar event pipeline for indicators consistent with device driver discovery adversary techniques using MITRE ATT&CK-aligned event categorization.

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for Device Driver Discovery (T1652). Identifies adversary device driver discovery behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Google Chronicle / SecOps

yaral

rule detection_t1652 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Device Driver Discovery - T1652"
    severity = "HIGH"
    mitre_attack = "T1652"
    reference = "https://attack.mitre.org/techniques/T1652/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Device Driver Discovery (T1652). Uses Chronicle UDM event model to identify device driver discovery behaviors across endpoint and cloud telemetry.

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Device Driver Discovery (T1652). Queries Falcon telemetry for device driver discovery behavioral indicators aligned with MITRE ATT&CK T1652.

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Device Driver Discovery

What is T1652 Device Driver Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1652

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1652 Device Driver Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1652

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox