T1652 Device Driver Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let DriverDiscoveryBinaries = dynamic(["driverquery.exe", "lsmod", "modinfo"]);
let DriverDiscoveryKeywords = dynamic(["driverquery", "lsmod", "modinfo", "EnumDeviceDrivers", "WBEM\\WDM", "CurrentControlSet\\Services"]);
let ExcludedSystemProcesses = dynamic(["MsMpEng.exe", "SenseIR.exe", "MsSense.exe", "CSFalconService.exe"]);
// Process-based driver discovery
let ProcessBasedDiscovery = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (DriverDiscoveryBinaries)
    or ProcessCommandLine has_any (DriverDiscoveryKeywords)
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName =~ "svchost.exe" and AccountName == "SYSTEM" and ProcessCommandLine !has "-fo")
| extend DetectionSource = "ProcessExecution"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, DetectionSource;
// Registry-based driver discovery (HOPLIGHT pattern)
let RegistryBasedDiscovery = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where RegistryKey has_any ("SOFTWARE\\WBEM\\WDM", "CurrentControlSet\\Services", "CurrentControlSet\\Control\\Class")
| where ActionType in ("RegistryValueQueried", "RegistryKeyQueried")
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "WmiPrvSE.exe") and AccountName == "SYSTEM")
| extend DetectionSource = "RegistryQuery"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine = "", FileName = InitiatingProcessFileName, ProcessCommandLine = RegistryKey, FolderPath = RegistryKey, DetectionSource;
// Union results and score
ProcessBasedDiscovery
| union RegistryBasedDiscovery
| extend RiskScore = case(
    InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe") and AccountName != "SYSTEM", 80,
    InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe") and AccountName == "SYSTEM", 60,
    DetectionSource == "RegistryQuery" and InitiatingProcessFileName !in~ ("explorer.exe", "mmc.exe"), 70,
    true(), 40
  )
| sort by TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)
Windows Device Manager (devmgmt.msc) and associated mmc.exe processes performing routine driver enumeration
Endpoint security platforms querying driver lists to detect vulnerable or malicious drivers

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_image=lower(Image), lower_cmdline=lower(CommandLine)
| where match(lower_image, "(driverquery\.exe|lsmod|modinfo)") OR
    match(lower_cmdline, "(driverquery|lsmod|modinfo|enumdevicedrivers|wbem\\\\wdm|currentcontrolset\\\\services)")
| where NOT match(lower_image, "(msmpeng\.exe|mssense\.exe|csfalconservice\.exe|senseir\.exe)")
| where NOT (match(lower_image, "svchost\.exe") AND User="NT AUTHORITY\\SYSTEM" AND NOT match(lower_cmdline, "-fo"))
| eval risk_score=case(
    match(lower_image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)") AND NOT match(User, "SYSTEM"), 80,
    match(lower_image, "(powershell\.exe|cmd\.exe)") AND match(User, "SYSTEM"), 60,
    match(lower_image, "driverquery\.exe") AND match(lower_image, "(cmd\.exe|powershell)"), 70,
    true(), 40
  )
| eval detection_context=case(
    match(lower_cmdline, "wbem\\\\wdm"), "HOPLIGHT Registry Pattern",
    match(lower_image, "driverquery\.exe"), "Native Driver Enumeration",
    match(lower_cmdline, "lsmod"), "Linux Kernel Module Discovery",
    match(lower_cmdline, "modinfo"), "Kernel Module Info Gathering",
    true(), "General Driver Discovery"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, risk_score, detection_context
| sort -risk_score, -_time

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Administrative scripts running driverquery.exe as part of scheduled hardware audits
Software deployment platforms checking for driver prerequisites before pushing updates
IT helpdesk personnel running driverquery for troubleshooting printing or USB device issues
CI/CD pipelines or build systems that enumerate device capabilities for hardware-specific testing

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1652*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Google Chronicle / SecOps

yaral

rule detection_t1652 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Device Driver Discovery - T1652"
    severity = "HIGH"
    mitre_attack = "T1652"
    reference = "https://attack.mitre.org/techniques/T1652/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

System administrators running driverquery.exe manually for troubleshooting or asset inventory
IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)

Device Driver Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections