Device Driver Discovery (T1652)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Device Driver Discovery

Associated Tactics

  • Discovery

Discovery (TA0007)

The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

View on ATT&CK

Procedure Examples

Description Source(s)
Kerrisk, M. (2022, December 18). lsmod(8) — Linux manual page. Retrieved March 28, 2023. lsmod man
Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023. Microsoft Registry Drivers
Microsoft. (2021, October 12). EnumDeviceDrivers function (psapi.h). Retrieved March 28, 2023. Microsoft EnumDeviceDrivers
Microsoft. (n.d.). driverquery. Retrieved March 28, 2023. Microsoft Driverquery
Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. Linux Kernel Programming
Russell, R. (n.d.). modinfo(8) - Linux man page. Retrieved March 28, 2023. modinfo man