T1652 Splunk · SPL

Detect Device Driver Discovery in Splunk

This detection identifies adversary attempts to enumerate device drivers on a victim host using native OS utilities, registry queries, or API calls. Attackers use driver discovery to identify installed security products, detect virtualization/sandbox environments, and locate vulnerable drivers suitable for privilege escalation. On Windows, this commonly involves driverquery.exe, WMI queries, or registry enumeration under HKLM\SYSTEM\CurrentControlSet\Services and HKLM\SOFTWARE\WBEM\WDM. On Linux and macOS, utilities such as lsmod and modinfo are used to inspect loaded kernel modules. Known threat actors including Medusa Group, HOPLIGHT malware, INC Ransomware, and Remsec have all been observed performing driver enumeration as a precursor to further exploitation or defense evasion.

MITRE ATT&CK

Tactic
Discovery
Technique
T1652 Device Driver Discovery
Canonical reference
https://attack.mitre.org/techniques/T1652/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_image=lower(Image), lower_cmdline=lower(CommandLine)
| where match(lower_image, "(driverquery\.exe|lsmod|modinfo)") OR
    match(lower_cmdline, "(driverquery|lsmod|modinfo|enumdevicedrivers|wbem\\\\wdm|currentcontrolset\\\\services)")
| where NOT match(lower_image, "(msmpeng\.exe|mssense\.exe|csfalconservice\.exe|senseir\.exe)")
| where NOT (match(lower_image, "svchost\.exe") AND User="NT AUTHORITY\\SYSTEM" AND NOT match(lower_cmdline, "-fo"))
| eval risk_score=case(
    match(lower_image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)") AND NOT match(User, "SYSTEM"), 80,
    match(lower_image, "(powershell\.exe|cmd\.exe)") AND match(User, "SYSTEM"), 60,
    match(lower_image, "driverquery\.exe") AND match(lower_image, "(cmd\.exe|powershell)"), 70,
    true(), 40
  )
| eval detection_context=case(
    match(lower_cmdline, "wbem\\\\wdm"), "HOPLIGHT Registry Pattern",
    match(lower_image, "driverquery\.exe"), "Native Driver Enumeration",
    match(lower_cmdline, "lsmod"), "Linux Kernel Module Discovery",
    match(lower_cmdline, "modinfo"), "Kernel Module Info Gathering",
    true(), "General Driver Discovery"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, risk_score, detection_context
| sort -risk_score, -_time
medium severity medium confidence

Detects driver discovery activity via Sysmon process creation events (EventCode=1) for driverquery.exe, lsmod, modinfo, and command lines referencing driver registry paths or API function names. Scores events by parent process risk and applies exclusions for known security vendor processes. Labels detections with contextual tags to assist triage.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Administrative scripts running driverquery.exe as part of scheduled hardware audits
  • Software deployment platforms checking for driver prerequisites before pushing updates
  • IT helpdesk personnel running driverquery for troubleshooting printing or USB device issues
  • CI/CD pipelines or build systems that enumerate device capabilities for hardware-specific testing
Download portable Sigma rule (.yml)

Other platforms for T1652

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Driver Enumeration via driverquery.exe with CSV Export

    Expected signal: Sysmon EventID 1: Image=driverquery.exe, CommandLine contains '/FO CSV /V'. Security EventID 4688 if process creation auditing is enabled. DeviceProcessEvents in MDE with ProcessCommandLine='/FO CSV /V'.

  2. Test 2HOPLIGHT-Style Registry Enumeration of WBEM WDM Driver Key

    Expected signal: Sysmon EventID 1: Image=reg.exe, CommandLine contains 'WBEM\WDM'. Sysmon EventID 12/13: TargetObject matching HKLM\SOFTWARE\WBEM\WDM. DeviceRegistryEvents in MDE with RegistryKey containing 'WBEM\WDM'.

  3. Test 3PowerShell Driver Enumeration via WMI Win32_SystemDriver

    Expected signal: Sysmon EventID 1: Image=powershell.exe, CommandLine contains 'Win32_SystemDriver'. PowerShell ScriptBlock log EventID 4104 with WMI query. DeviceProcessEvents in MDE showing powershell.exe invoking WMI.

  4. Test 4Linux Kernel Module Discovery via lsmod and modinfo

    Expected signal: Auditd log: execve syscall for lsmod and modinfo with uid/pid context. Syslog entries if auditd is configured to log execution. Linux process telemetry in Defender for Endpoint or SIEM showing lsmod/modinfo execution.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1652 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1518.001Security Software DiscoveryT1497.001System ChecksT1068Exploitation for Privilege EscalationT1007System Service DiscoveryT1033System Owner/User Discovery

Same Tactic: Discovery

Popular Detections