Living Off The Land Drivers
Living-off-the-land drivers are becoming a growing blind spot in modern defense. This post introduces LOLDrivers, a centralized resource that catalogs vulnerable and malicious Windows drivers so teams can detect and mitigate abuse faster.
Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from. This invaluable resource empowers organizations to better understand and mitigate driver-related security risks. Drivers are an integral part of a computer’s operation, and vulnerabilities or malicious drivers can pose significant security risks. Monitoring drivers enables you to detect potential threats early, allowing you to take prompt action to address vulnerabilities, remove malicious drivers, and minimize the risk of exploitation.
Additional background on this topic may be found in my SANS DFIR Summit talk titled Hunting Windows U-Boats with Cyber Depth Charges.
Introducing — LOLDrivers.io
Visiting loldrivers.io will present you with the landing page and the ability to filter on drivers within the table below or you can search at the top right.
In addition, you have the ability to grab a CSV, JSON, Sysmon configuration file and a Sigma rule.
Why is this important?
The Living Off The Land Drivers (LOLDrivers) project is a game-changer in the world of cybersecurity and system stability for several reasons:
- Centralized resource: LOLDrivers brings together vulnerable and malicious drivers in one convenient location, making it easier than ever for security professionals, researchers, and organizations to identify and learn about driver-related threats.
- Enhanced awareness: This project shines a light on the importance of driver-related security risks, emphasizing the need for organizations to be proactive in monitoring and addressing potential vulnerabilities in their systems.
- Risk mitigation: LOLDrivers equips organizations with valuable insights into driver vulnerabilities and malicious drivers, enabling them to understand the risks they face and implement effective measures to mitigate them, ultimately reducing the likelihood of successful exploitation by threat actors.
- Improved security posture: With the knowledge provided by LOLDrivers, organizations can bolster their overall cybersecurity posture by proactively addressing driver-related risks.
- Community-driven: The project fosters a spirit of collaboration and knowledge sharing within the cybersecurity community, encouraging a united effort to stay one step ahead of emerging threats and vulnerabilities related to drivers.
In a nutshell, the LOLDrivers project is an optimistic force for change, centralizing information on driver-related risks, raising awareness, facilitating risk mitigation, enhancing security posture, and promoting collaboration within the cybersecurity community.
Tell us more!
Verified, Not Verified
While working with the Microsoft Block List, some hashes are not present on VirusTotal or Google. Therefore, we created the verified True|False key in the YAML. If a hash is available on VirusTotal, mark the field as TRUE, else mark it as FALSE.
VerifiedPress enter or click to view image in full sizeNot Verified
Categories
Categories was introduced as a way to track different types of drivers. We plan to add more categories as we progress.
Vulnerable driver:
A vulnerable driver is a software component that manages the communication between a computer’s operating system and its hardware devices but contains weaknesses or flaws that can be exploited by malicious actors. These vulnerabilities may arise from programming errors, insufficient input validation, or improper security measures, among other factors.
Examples include capcom.sys and asrdrv10.sys.
Malicious driver:
A malicious driver is a software component designed to manage communication between a computer’s operating system and its hardware devices, but with a hidden, harmful intent. Unlike vulnerable drivers, which contain unintentional flaws or weaknesses, malicious drivers are intentionally crafted by threat actors to compromise systems, steal sensitive information, or perform other malicious activities.
We see this consistently with campaigns like Daxin or other targeted attacks. Examples include: gtfkyj64.sys and wantd.sys.
Other categories as we grow include
- Experimental Drivers
- Compromised Certificates
Contributing
We’ve collected the vast majority of known drivers that are vulnerable, but we need your help in curating the rest that may be out there lurking in the shadows.
Contributions are easy! We have a YAML template that is direct and easy to follow. YAML is designed to be easily readable and writable, making it a user-friendly choice for various applications. To further simplify the process, we’ve developed a straightforward Streamlit App that enables you to create YAML files quickly and effortlessly, promoting seamless contributions to the project.
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
