Driver

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used[1][2]

ID: DS0027
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Driver: Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Driver: Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Domain ID Name
Enterprise T1547 Boot or Logon Autostart Execution
.008 LSASS Driver
.012 Print Processors
Enterprise T1561 Disk Wipe
.001 Disk Content Wipe
.002 Disk Structure Wipe
Enterprise T1068 Exploitation for Privilege Escalation
Enterprise T1056 Input Capture
.001 Keylogging
Enterprise T1111 Two-Factor Authentication Interception

Driver: Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Driver: Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Domain ID Name
Enterprise T1542 Pre-OS Boot
.002 Component Firmware

References