title: Device Driver Discovery (T1652)
id: df00tech-t1652
status: experimental
description: "This detection identifies adversary attempts to enumerate device drivers on a victim host using native OS utilities, registry queries, or API calls. Attackers use driver discovery to identify installed security products, detect virtualization/sandbox environments, and locate vulnerable drivers suitable for privilege escalation. On Windows, this commonly involves driverquery.exe, WMI queries, or registry enumeration under HKLM\\SYSTEM\\CurrentControlSet\\Services and HKLM\\SOFTWARE\\WBEM\\WDM. On Linux and macOS, utilities such as lsmod and modinfo are used to inspect loaded kernel modules. Known threat actors including Medusa Group, HOPLIGHT malware, INC Ransomware, and Remsec have all been observed performing driver enumeration as a precursor to further exploitation or defense evasion."
references:
  - https://attack.mitre.org/techniques/T1652/
  - https://df00tech.com/detections/T1652
author: df00tech
date: 2026/03/20
tags:
  - attack.t1652
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators running driverquery.exe manually for troubleshooting or asset inventory
  - "IT management tools (SCCM, PDQ Deploy, Tanium) enumerating drivers during hardware inventory scans"
  - "Software installers checking for prerequisite device drivers before installation (e.g., hardware peripheral setup)"
  - Windows Device Manager (devmgmt.msc) and associated mmc.exe processes performing routine driver enumeration
  - Endpoint security platforms querying driver lists to detect vulnerable or malicious drivers
level: medium