Skip to content

Hide Navigation Hide TOC

Driver Load (3551476e-14f5-4e48-a518-e82135329e03)

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).

This data component can be collected through the following measures:

Windows

  • Sysmon Logs:
    • Event ID 6: Captures driver loading activity, including file path, hashes, and signature information.
    • Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events
  • Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events.

Linux

  • Auditd: Configure audit rules to capture driver loading events: auditctl -w /lib/modules/ -p rwxa -k driver_load
  • Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: dmesg | grep "module"
  • Syslog or journald: Review logs for module insertion or removal activities.

macOS

  • Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads: log show --predicate 'eventMessage contains "kext load"'
  • Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Appleā€™s Endpoint Security Framework.

SIEM Tools

  • Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk).
  • Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers.

EDR Solutions

  • Use EDR tools to detect and alert on anomalous driver loading activity.
Cluster A Galaxy A Cluster B Galaxy B Level
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 1
Driver Load (3551476e-14f5-4e48-a518-e82135329e03) mitre-data-component Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2
LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2