Skip to content

Hide Navigation Hide TOC

Driver Load (3551476e-14f5-4e48-a518-e82135329e03)

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).

This data component can be collected through the following measures:

Windows

  • Sysmon Logs:
    • Event ID 6: Captures driver loading activity, including file path, hashes, and signature information.
    • Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events
  • Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events.

Linux

  • Auditd: Configure audit rules to capture driver loading events: auditctl -w /lib/modules/ -p rwxa -k driver_load
  • Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: dmesg | grep "module"
  • Syslog or journald: Review logs for module insertion or removal activities.

macOS

  • Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads: log show --predicate 'eventMessage contains "kext load"'
  • Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Appleā€™s Endpoint Security Framework.

SIEM Tools

  • Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk).
  • Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers.

EDR Solutions

  • Use EDR tools to detect and alert on anomalous driver loading activity.
Cluster A Galaxy A Cluster B Galaxy B Level
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2