Windows Driver Inventory

name: Windows Driver Inventory
id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb
version: 7
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
data_source: []
search: |-
    `driverinventory`
      | stats values(Path) min(_time) as firstTime max(_time) as lastTime count
        BY host DriverType
      | rename host as dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_driver_inventory_filter`
how_to_implement: To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.
known_false_positives: Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths.
references:
    - https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244
tags:
    analytic_story:
        - Windows Drivers
    asset_type: Endpoint
    mitre_attack_id:
        - T1068
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    manual_test: Cannot be tested automatically, as it needs additional transforms and props to make the data ready.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log
          source: PwSh:DriverInventory
          sourcetype: PwSh:DriverInventory