Detect Device Driver Discovery in Microsoft Sentinel
This detection identifies adversary attempts to enumerate device drivers on a victim host using native OS utilities, registry queries, or API calls. Attackers use driver discovery to identify installed security products, detect virtualization/sandbox environments, and locate vulnerable drivers suitable for privilege escalation. On Windows, this commonly involves driverquery.exe, WMI queries, or registry enumeration under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SOFTWARE\WBEM\WDM. On Linux and macOS, utilities such as lsmod and modinfo are used to inspect loaded kernel modules. Known threat actors including Medusa Group, HOPLIGHT malware, INC Ransomware, and Remsec have all been observed performing driver enumeration as a precursor to further exploitation or defense evasion.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1652 Device Driver Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1652/
KQL Detection Query
let DriverDiscoveryBinaries = dynamic(["driverquery.exe", "lsmod", "modinfo"]);
let DriverDiscoveryKeywords = dynamic(["driverquery", "lsmod", "modinfo", "EnumDeviceDrivers", "WBEM\\WDM", "CurrentControlSet\\Services"]);
let ExcludedSystemProcesses = dynamic(["MsMpEng.exe", "SenseIR.exe", "MsSense.exe", "CSFalconService.exe"]);
// Process-based driver discovery
let ProcessBasedDiscovery = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (DriverDiscoveryBinaries)
or ProcessCommandLine has_any (DriverDiscoveryKeywords)
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName =~ "svchost.exe" and AccountName == "SYSTEM" and ProcessCommandLine !has "-fo")
| extend DetectionSource = "ProcessExecution"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, DetectionSource;
// Registry-based driver discovery (HOPLIGHT pattern)
let RegistryBasedDiscovery = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where RegistryKey has_any ("SOFTWARE\\WBEM\\WDM", "CurrentControlSet\\Services", "CurrentControlSet\\Control\\Class")
| where ActionType in ("RegistryValueQueried", "RegistryKeyQueried")
| where not (InitiatingProcessFileName in~ (ExcludedSystemProcesses))
| where not (InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "WmiPrvSE.exe") and AccountName == "SYSTEM")
| extend DetectionSource = "RegistryQuery"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine = "", FileName = InitiatingProcessFileName, ProcessCommandLine = RegistryKey, FolderPath = RegistryKey, DetectionSource;
// Union results and score
ProcessBasedDiscovery
| union RegistryBasedDiscovery
| extend RiskScore = case(
InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe") and AccountName != "SYSTEM", 80,
InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe") and AccountName == "SYSTEM", 60,
DetectionSource == "RegistryQuery" and InitiatingProcessFileName !in~ ("explorer.exe", "mmc.exe"), 70,
true(), 40
)
| sort by TimeGenerated descDetects device driver discovery via process execution of driverquery.exe, lsmod, or modinfo, and registry enumeration of driver-related keys under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SOFTWARE\WBEM\WDM. Combines process and registry telemetry from Microsoft Defender for Endpoint, scoring events by initiating process risk to surface likely malicious activity. Suppresses known legitimate security product access patterns.
Data Sources
Required Tables
False Positives & Tuning
- System administrators running driverquery.exe manually for troubleshooting or asset inventory
- IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans
- Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)
- Windows Device Manager (devmgmt.msc) and associated mmc.exe processes performing routine driver enumeration
- Endpoint security platforms querying driver lists to detect vulnerable or malicious drivers
Other platforms for T1652
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Driver Enumeration via driverquery.exe with CSV Export
Expected signal: Sysmon EventID 1: Image=driverquery.exe, CommandLine contains '/FO CSV /V'. Security EventID 4688 if process creation auditing is enabled. DeviceProcessEvents in MDE with ProcessCommandLine='/FO CSV /V'.
- Test 2HOPLIGHT-Style Registry Enumeration of WBEM WDM Driver Key
Expected signal: Sysmon EventID 1: Image=reg.exe, CommandLine contains 'WBEM\WDM'. Sysmon EventID 12/13: TargetObject matching HKLM\SOFTWARE\WBEM\WDM. DeviceRegistryEvents in MDE with RegistryKey containing 'WBEM\WDM'.
- Test 3PowerShell Driver Enumeration via WMI Win32_SystemDriver
Expected signal: Sysmon EventID 1: Image=powershell.exe, CommandLine contains 'Win32_SystemDriver'. PowerShell ScriptBlock log EventID 4104 with WMI query. DeviceProcessEvents in MDE showing powershell.exe invoking WMI.
- Test 4Linux Kernel Module Discovery via lsmod and modinfo
Expected signal: Auditd log: execve syscall for lsmod and modinfo with uid/pid context. Syslog entries if auditd is configured to log execution. Linux process telemetry in Defender for Endpoint or SIEM showing lsmod/modinfo execution.
References (9)
- https://attack.mitre.org/techniques/T1652/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/driverquery
- https://learn.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-registry-trees-and-keys
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-100a
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://man7.org/linux/man-pages/man8/lsmod.8.html
- https://man7.org/linux/man-pages/man8/modinfo.8.html
Unlock Pro Content
Get the full detection package for T1652 including response playbook, investigation guide, and atomic red team tests.