Tracking Driver Inventory to Expose Rootkits
Using driver inventory tracking and behavioral analysis to detect rootkits and malicious kernel-mode drivers.
Originally published on Red Canary Blog
Read the full article: Tracking Driver Inventory to Expose Rootkits
The Rootkit Problem
Rootkits operate at the kernel level, making them difficult to detect with traditional security tools. They can:
- Hide processes and files
- Intercept system calls
- Evade security software
- Persist through reboots
Detection Strategy
Instead of trying to detect rootkit behavior directly, we track driver inventory changes:
Baseline Driver Inventory
Maintain a known-good inventory of drivers on systems.
Monitor Driver Loads
Track when new drivers are loaded, especially:
- Unsigned drivers
- Drivers from unusual locations
- Drivers with suspicious metadata
- Drivers loaded at unusual times
Behavioral Analysis
Look for suspicious driver behavior:
- Hiding files or processes
- Intercepting system calls
- Modifying kernel structures
- Network activity from kernel mode
Key Indicators
Suspicious Driver Characteristics
- Missing or invalid signatures
- Unusual file paths
- Suspicious company names
- Modified system drivers
- Drivers loaded from temp directories
Behavioral Red Flags
- Driver loaded by non-system process
- Driver loaded at unusual time
- Driver with network capabilities
- Driver modifying other drivers
Detection Implementation
Sysmon Event ID 6
Monitor driver load events for:
- Signature validation
- File path analysis
- Timing analysis
- Parent process validation
WMI Queries
Periodically enumerate loaded drivers and compare against baseline.
Behavioral Monitoring
Watch for rootkit-like behaviors even without driver detection.
This Led to LOLDrivers
This research eventually evolved into the LOLDrivers project, cataloging vulnerable and malicious drivers for the security community.
Read the full analysis: Tracking Driver Inventory to Expose Rootkits
Related Modules
LOLDrivers
Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.