Query Details

LOL Driver Usage

Query

let LolDriverSHA1 = externaldata(SHA1: string)[@"https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/hashes/authentihash_samples.sha1"] with (format="txt", ignoreFirstRecord=False);
// Combine results to get ImageLoads, FileActions and Process Events
union isfuzzy=true
(DeviceFileEvents
| where SHA1 in~ (LolDriverSHA1)),
(DeviceProcessEvents
| where InitiatingProcessSHA1 in~ (LolDriverSHA1) or SHA1 in~ (LolDriverSHA1)),
(DeviceImageLoadEvents
| where SHA1 in (LolDriverSHA1))
| project-reorder Timestamp, DeviceName, FolderPath, ProcessCommandLine

About this query

Explanation

This query is designed to detect potentially malicious activities related to "LOL drivers" (Living Off the Land drivers) on Windows systems. These drivers are known to be used by attackers to bypass security measures and execute attacks. The query pulls data from three different tables: DeviceFileEvents, DeviceProcessEvents, and DeviceImageLoadEvents. It checks for any actions involving drivers whose SHA1 hashes match those listed in a curated list of known malicious drivers, which is sourced from an external file on GitHub.

Here's a simple breakdown of what the query does:

  1. Load Malicious Driver Hashes: It first loads a list of SHA1 hashes of known malicious drivers from an external source.

  2. Check for File Events: It searches the DeviceFileEvents table for any file events involving these malicious drivers.

  3. Check for Process Events: It looks into the DeviceProcessEvents table to find any processes that were initiated by or involve these malicious drivers.

  4. Check for Image Load Events: It examines the DeviceImageLoadEvents table for any instances where these drivers were loaded into memory.

  5. Combine Results: It combines the results from all three tables to provide a comprehensive view of any interactions with these malicious drivers.

  6. Output: The query outputs relevant details such as timestamps, device names, folder paths, and command lines associated with these events, helping security professionals identify and mitigate potential threats.

The query is executed in both Defender XDR and Sentinel environments, with slight differences in the field names used for timestamps.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEventsDeviceProcessEventsDeviceImageLoadEvents

Keywords

DeviceFileEventsProcessImageLoadTimestampNameFolderPathCommandLineTimeGenerated

Operators

letexternaldatawithunionisfuzzywherein~orinproject-reorder

Actions

GitHub