LOL Driver Usage
Query
let LolDriverSHA1 = externaldata(SHA1: string)[@"https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/hashes/authentihash_samples.sha1"] with (format="txt", ignoreFirstRecord=False);
// Combine results to get ImageLoads, FileActions and Process Events
union isfuzzy=true
(DeviceFileEvents
| where SHA1 in~ (LolDriverSHA1)),
(DeviceProcessEvents
| where InitiatingProcessSHA1 in~ (LolDriverSHA1) or SHA1 in~ (LolDriverSHA1)),
(DeviceImageLoadEvents
| where SHA1 in (LolDriverSHA1))
| project-reorder Timestamp, DeviceName, FolderPath, ProcessCommandLineAbout this query
Explanation
This query is designed to detect potentially malicious activities related to "LOL drivers" (Living Off the Land drivers) on Windows systems. These drivers are known to be used by attackers to bypass security measures and execute attacks. The query pulls data from three different tables: DeviceFileEvents, DeviceProcessEvents, and DeviceImageLoadEvents. It checks for any actions involving drivers whose SHA1 hashes match those listed in a curated list of known malicious drivers, which is sourced from an external file on GitHub.
Here's a simple breakdown of what the query does:
-
Load Malicious Driver Hashes: It first loads a list of SHA1 hashes of known malicious drivers from an external source.
-
Check for File Events: It searches the
DeviceFileEventstable for any file events involving these malicious drivers. -
Check for Process Events: It looks into the
DeviceProcessEventstable to find any processes that were initiated by or involve these malicious drivers. -
Check for Image Load Events: It examines the
DeviceImageLoadEventstable for any instances where these drivers were loaded into memory. -
Combine Results: It combines the results from all three tables to provide a comprehensive view of any interactions with these malicious drivers.
-
Output: The query outputs relevant details such as timestamps, device names, folder paths, and command lines associated with these events, helping security professionals identify and mitigate potential threats.
The query is executed in both Defender XDR and Sentinel environments, with slight differences in the field names used for timestamps.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators