AN1595: Analytic 1595
Monitor for suspicious usage of driver enumeration utilities (driverquery.exe) or API calls such as EnumDeviceDrivers(). Registry queries against HKLM\SYSTEM\CurrentControlSet\Services and HardwareProfiles that are abnormal may also indicate attempts to discover installed drivers and services. Correlate command execution, process creation, and registry access to build a behavioral chain of driver discovery.
Analyst context for executives and security teams
This analytic is about spotting Windows activity that looks like discovery of installed drivers and services. For leaders, the practical value is readiness: if an incident involves suspicious driver or service discovery, teams need enough endpoint, process, and registry visibility to reconstruct whether it was normal administration or part of a broader behavioral chain.
Executive priority
Prioritize this as a Windows endpoint visibility and investigation-quality control, not as a standalone risk signal. Security leaders should ask whether SOC and IR teams can prove who ran driver enumeration utilities, what process launched them, and whether unusual registry access to driver/service locations occurred. This supports incident decision-making, audit evidence for monitoring coverage, and control prioritization around endpoint logging and registry visibility.
Technical view
Validate monitoring for suspicious use of driverquery.exe, API-driven driver enumeration such as EnumDeviceDrivers(), and abnormal registry queries against HKLM\SYSTEM\CurrentControlSet\Services and HardwareProfiles. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavioral analytic that should be correlated with command execution, process creation, and registry access rather than alerted on in isolation.
Likely telemetry
- Windows process creation events, including command line where available
- Command execution records for driverquery.exe
- Endpoint telemetry that can expose API-based driver enumeration, where available
- Windows registry access/query telemetry for HKLM\SYSTEM\CurrentControlSet\Services
- Windows registry access/query telemetry for HardwareProfiles
Detection direction
- Confirm that process creation and command-line logging are available on Windows systems in scope.
- Test whether registry query telemetry is collected for the specified service and hardware profile paths.
- Tune for abnormality rather than mere presence, because driver and service enumeration can be legitimate administrative behavior.
- Correlate process execution, parent process, user context, host role, and registry access to build a behavioral chain.
- Account for blind spots where API calls such as EnumDeviceDrivers() are not visible in standard logs.
Mitigation priorities
- Establish baseline visibility for Windows process creation, command line, and registry access before relying on this analytic operationally.
- Define expected administrative and inventory use cases for driverquery.exe and driver/service registry queries.
- Restrict and monitor administrative tooling usage according to existing endpoint hardening and least-privilege practices.
- Ensure incident response playbooks include collection of process lineage, user context, registry access evidence, and host role when this behavior appears.
- Use the analytic as a coverage validation item for managed detection or SOC readiness rather than as a standalone prevention control.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows and provides a descriptive monitoring concept but no official detection block, tactic, technique relationship, or related threat context. The strongest use is to validate whether defenders can correlate driver enumeration utilities, API-based enumeration indicators, and registry access into an investigation-ready chain.
Assessment is limited to the official STIX fields, external reference, and absence of relationships supplied. No active exploitation, attribution, impact, guaranteed detection coverage, or non-Windows platform relevance can be inferred from this object alone. Local baselines are required to determine what is abnormal.
Analytic 1595
Monitor for suspicious usage of driver enumeration utilities (driverquery.exe) or API calls such as EnumDeviceDrivers(). Registry queries against HKLM\SYSTEM\CurrentControlSet\Services and HardwareProfiles that are abnormal may also indicate attempts to discover installed drivers and services. Correlate command execution, process creation, and registry access to build a behavioral chain of driver discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a5e5bebf6011… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1595Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.