Defender for Endpoint - AsrVulnerableSignedDriverBlocked - LolDrivers Lookup
MDE Asr Vulnerable Signed Driver Blocked
Query
let LOLDrivers = externaldata (Category:string, KnownVulnerableSamples:dynamic, Verified:string ) [h@"https://www.loldrivers.io/api/drivers.json"]
with (format=multijson, ingestionMapping='[{"Column":"Category","Properties":{"Path":"$.Category"}},{"Column":"KnownVulnerableSamples","Properties":{"Path":"$.KnownVulnerableSamples"}},{"Column":"Verified","Properties":{"Path":"$.Verified"}}]')
| mv-expand KnownVulnerableSamples
| extend SHA1 = tostring(KnownVulnerableSamples.SHA1), SHA256 = tostring(KnownVulnerableSamples.SHA256)
;
DeviceEvents
| where ActionType == @"AsrVulnerableSignedDriverBlocked"
| project Timestamp, DeviceName, FileName, SHA256,SHA1, FolderPath
| join kind=inner (LOLDrivers | where isnotempty(SHA256)) on SHA256
| union (
DeviceEvents
| where ActionType == @"AsrVulnerableSignedDriverBlocked"
| join kind=inner (LOLDrivers | where isnotempty(SHA1)) on SHA1
)About this query
Explanation
This KQL query is designed to detect and analyze events related to vulnerable signed drivers that have been blocked by Microsoft Defender for Endpoint. Here's a simplified breakdown of what the query does:
-
Data Source: It pulls data from an external dataset called LOLDrivers, which contains information about known vulnerable drivers. This dataset is accessed via a JSON API.
-
Data Expansion: The query expands the list of known vulnerable samples from the LOLDrivers dataset to extract SHA1 and SHA256 hash values for each driver.
-
Event Filtering: It filters events from the
DeviceEventstable where the action type isAsrVulnerableSignedDriverBlocked. This action type indicates that a potentially harmful signed driver was blocked by the system. -
Data Joining: The query performs an inner join between the filtered
DeviceEventsand the LOLDrivers data based on the SHA256 hash values. If there are events with missing SHA256 values, it performs another join using SHA1 hash values. -
Output: The result is a combined dataset that shows which blocked driver events correspond to known vulnerable drivers from the LOLDrivers dataset. This helps in identifying and understanding potential security threats from vulnerable drivers.
Overall, the query is used to enhance security monitoring by correlating blocked driver events with a known list of vulnerable drivers, aiding in the detection and prevention of privilege escalation attacks.
