Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0074: Driver Metadata

to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:

- Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA). - Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database. - Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system. - Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability. - Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.

This data component can be collected through the following measures:

Windows

- Windows Event Logs: - Event ID 3000-3006: Logs metadata about driver signature validation. - Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement. - Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6). - Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics. - PowerShell: Use commands to retrieve metadata about installed drivers: `Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version`

Linux

- Auditd: Configure audit rules to monitor driver interactions and collect metadata: `auditctl -w /lib/modules/ -p rwxa -k driver_metadata` - dmesg: Use `dmesg` to extract kernel logs with driver metadata: `dmesg | grep "module"` - lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: `lsmod` | `modinfo `

macOS

- Unified Logs: Collect metadata from system logs about kernel extensions (kexts): `log show --predicate 'eventMessage contains "kext load"' --info` - kextstat: Command to retrieve information about loaded kernel extensions: `kextstat`

SIEM Tools

- Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.

Vulnerability Management Tools

- Use these tools to collect metadata about vulnerable drivers across enterprise systems.

EnterpriseDC0074Data ComponentObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Driver Metadata is a defensive evidence source for understanding whether low-level software components such as drivers or kernel modules are trusted, current, compatible, and behaving as expected. For leaders, its value is not a single alert; it is the ability to prove that endpoints and servers can identify unsigned, modified, outdated, vulnerable, or problematic drivers before they affect stability, security investigations, or vulnerability response.

Executive priority

Prioritize this data component where endpoint integrity, vulnerability management, audit evidence, or incident triage depend on knowing what drivers are present and whether they are signed, validated, or vulnerable. The business question is whether security and operations teams can quickly answer: which systems have untrusted or outdated drivers, which driver integrity checks failed, and whether that evidence is centrally available for SOC and IR use.

Technical view

ATT&CK does not provide a specific detection analytic for DC0074, so teams should validate collection coverage rather than assume alert coverage. Confirm ingestion of driver signature validation, hash verification, integrity enforcement, compatibility errors, vulnerable driver metadata, and runtime driver/module activity. Officially described sources include Windows Event Logs for driver signature validation and Windows Defender Application Control events, Sysmon Event ID 6 for driver loading metadata, Driver Verifier diagnostics, PowerShell driver inventory, Linux auditd monitoring of /lib/modules/, dmesg module messages, lsmod/modinfo output, macOS Unified Logs for kext load messages, kextstat output, SIEM ingestion, and vulnerability management tooling.

Likely telemetry

  • Windows driver signature validation events, including Event IDs 3000-3006
  • Windows Defender Application Control driver integrity and policy enforcement events, including Event IDs 2000-2011
  • Sysmon driver loading metadata, including Event ID 6
  • Driver Verifier diagnostic, stability, compatibility, and performance data
  • PowerShell-based installed driver inventory such as driver name, provider, and version

Detection direction

  • Start by confirming that driver metadata is collected centrally and retained long enough to support incident response and vulnerability investigations.
  • Tune detections around changes in driver trust state, failed signature validation, integrity policy enforcement, unexpected driver loading metadata, unauthorized modification indicators, and driver versions associated with known vulnerability findings.
  • Correlate driver metadata with asset inventory and vulnerability management data so teams can distinguish expected vendor drivers from outdated, incompatible, or unapproved components.
  • Account for false positives from legitimate driver updates, operating system upgrades, hardware changes, compatibility troubleshooting, and administrative diagnostics.
  • Validate OS-specific blind spots: Windows environments may rely on event forwarding and Sysmon configuration; Linux coverage may depend on auditd rules and module logging; macOS coverage may depend on Unified Log and kext inventory collection.

Mitigation priorities

  • Establish an authoritative baseline of approved drivers, providers, versions, signatures, and hashes for managed systems.
  • Centralize driver metadata collection into the SIEM or comparable logging platform from the official sources available in the environment.
  • Integrate vulnerability management results so outdated or vulnerable driver versions can be prioritized alongside other remediation work.
  • Use integrity validation and policy enforcement evidence to support endpoint hardening, audit readiness, and incident response decisions.
  • Create operational exceptions for legitimate compatibility issues or vendor updates, but require ownership, expiration, and review.
Analyst notes and limits

This object is a data component, not a technique, and no tactics, platforms, aliases, labels, relationships, or official detection analytics were supplied. Its main decision value is coverage assurance: whether the organization can observe and reason about driver origin, integrity, signature status, version, vulnerability state, compatibility issues, and runtime behavior.

This take is limited to the supplied ATT&CK fields and external reference for DC0074. It does not assert adversary use, active exploitation, attribution, business impact, or guaranteed detection. Local operating systems, logging configuration, EDR/SIEM coverage, vulnerability data quality, and asset ownership determine practical usefulness.

Official MITRE ATT&CK definition

Driver Metadata

to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:

- Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA). - Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database. - Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system. - Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability. - Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.

This data component can be collected through the following measures:

Windows

- Windows Event Logs: - Event ID 3000-3006: Logs metadata about driver signature validation. - Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement. - Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6). - Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics. - PowerShell: Use commands to retrieve metadata about installed drivers: `Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version`

Linux

- Auditd: Configure audit rules to monitor driver interactions and collect metadata: `auditctl -w /lib/modules/ -p rwxa -k driver_metadata` - dmesg: Use `dmesg` to extract kernel logs with driver metadata: `dmesg | grep "module"` - lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: `lsmod` | `modinfo `

macOS

- Unified Logs: Collect metadata from system logs about kernel extensions (kexts): `log show --predicate 'eventMessage contains "kext load"' --info` - kextstat: Command to retrieve information about loaded kernel extensions: `kextstat`

SIEM Tools

- Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.

Vulnerability Management Tools

- Use these tools to collect metadata about vulnerable drivers across enterprise systems.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
7abb469fe075b621...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 7abb469fe075…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0074
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use