Living Off The Land Drivers

Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from. This invaluable resource empowers organizations to better understand and mitigate driver-related security risks. Drivers are an integral part of a computer’s operation, and vulnerabilities or malicious drivers can pose significant security risks. Monitoring drivers enables you to detect potential threats early, allowing you to take prompt action to address vulnerabilities, remove malicious drivers, and minimize the risk of exploitation.

Additional background on this topic may be found in my SANS DFIR Summit talk titled Hunting Windows U-Boats with Cyber Depth Charges.

Introducing — LOLDrivers.io

Site

loldrivers.io

Visiting loldrivers.io will present you with the landing page and the ability to filter on drivers within the table below or you can search at the top right.

Filter

search

In addition, you have the ability to grab a CSV, JSON, Sysmon configuration file and a Sigma rule.

Why is this important?

The Living Off The Land Drivers (LOLDrivers) project is a game-changer in the world of cybersecurity and system stability for several reasons:

1. Centralized resource: LOLDrivers brings together vulnerable and malicious drivers in one convenient location, making it easier than ever for security professionals, researchers, and organizations to identify and learn about driver-related threats.
2. Enhanced awareness: This project shines a light on the importance of driver-related security risks, emphasizing the need for organizations to be proactive in monitoring and addressing potential vulnerabilities in their systems.
3. Risk mitigation: LOLDrivers equips organizations with valuable insights into driver vulnerabilities and malicious drivers, enabling them to understand the risks they face and implement effective measures to mitigate them, ultimately reducing the likelihood of successful exploitation by threat actors.
4. Improved security posture: With the knowledge provided by LOLDrivers, organizations can bolster their overall cybersecurity posture by proactively addressing driver-related risks.
5. Community-driven: The project fosters a spirit of collaboration and knowledge sharing within the cybersecurity community, encouraging a united effort to stay one step ahead of emerging threats and vulnerabilities related to drivers.

In a nutshell, the LOLDrivers project is an optimistic force for change, centralizing information on driver-related risks, raising awareness, facilitating risk mitigation, enhancing security posture, and promoting collaboration within the cybersecurity community.

Tell us more!

Verified, Not Verified

While working with the Microsoft Block List, some hashes are not present on VirusTotal or Google. Therefore, we created the verified True|False key in the YAML. If a hash is available on VirusTotal, mark the field as TRUE, else mark it as FALSE.

Verified

Not Verified

Categories

Categories was introduced as a way to track different types of drivers. We plan to add more categories as we progress.

Vulnerable driver:

A vulnerable driver is a software component that manages the communication between a computer’s operating system and its hardware devices but contains weaknesses or flaws that can be exploited by malicious actors. These vulnerabilities may arise from programming errors, insufficient input validation, or improper security measures, among other factors.

Examples include capcom.sys and asrdrv10.sys.

Malicious driver:

A malicious driver is a software component designed to manage communication between a computer’s operating system and its hardware devices, but with a hidden, harmful intent. Unlike vulnerable drivers, which contain unintentional flaws or weaknesses, malicious drivers are intentionally crafted by threat actors to compromise systems, steal sensitive information, or perform other malicious activities.

We see this consistently with campaigns like Daxin or other targeted attacks. Examples include: gtfkyj64.sys and wantd.sys.

Other categories as we grow include

• Experimental Drivers
• Compromised Certificates

Contributing

We’ve collected the vast majority of known drivers that are vulnerable, but we need your help in curating the rest that may be out there lurking in the shadows.

Contributions are easy! We have a YAML template that is direct and easy to follow. YAML is designed to be easily readable and writable, making it a user-friendly choice for various applications. To further simplify the process, we’ve developed a straightforward Streamlit App that enables you to create YAML files quickly and effortlessly, promoting seamless contributions to the project.

Name: blacklotus_driver.sys
Author: Michael Haag
Created: '2023-04-05'
MitreID: T1068
Category: malicious
Verified: 'TRUE'
Commands:
  Command: 'sc.exe create blacklotus_driver.sys binPath=C:\windows\temp\blacklotus_driver.sys type=kernel 

    sc.exe start blacklotus_driver.sys'
  Description: The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start. The bootkits goal is to deploy a kernel driver and a final user-mode component.
  Usecase: Elevate privileges
  Privileges: kernel
  OperatingSystem: Windows 10
Resources:
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Acknowledgement:
  Person: 'Martin Smolár, ESET'
  Handle: ''
Detection: []
KnownVulnerableSamples:
- Filename: 0x3440_blacklotus_v2_driver.sys
  MD5: '4ad8fd9e83d7200bd7f8d0d4a9abfb11'
  SHA1: '17fa047c1f979b180644906fe9265f21af5b0509'
  SHA256: '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'
  Signature:
  - '-'
  Date: ''
  Publisher: ''
  Company: ''
  Description: ''
  Product: ''
  ProductVersion: ''
  FileVersion: ''
  MachineType: ''
  OriginalFilename: ''
- Filename: 0x3040_blacklotus_beta_driver.sys
  MD5: a42249a046182aaaf3a7a7db98bfa69d
  SHA1: 1f3799fed3cf43254fe30dcdfdb8dc02d82e662b
  SHA256: f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae
  Signature:
  - '-'
  Date: ''
  Publisher: ''
  Company: ''
  Description: ''
  Product: ''
  ProductVersion: ''
  FileVersion: ''
  MachineType: ''
  OriginalFilename: ''

Thank You

First and foremost I want to thank Jose E Hernandez for assisting me with getting the project to where it is today. Patrick Bareiss for listening and creating the first pass of CSV to YAML generation — the core of LOLDrivers. Matt for having the same idea and assisting in review and code. Bohops For listening to the original pitch and shining a light on the path forward.
Florian Roth and Nasreddine Bencherchali with the ultimate assists with adding Sigma, enrichment and getting things in line!

Links of Interest

• LOLDrivers.io
• GitHub Repo
• Generate YAML with StreamLit App

Near term items we want to complete

• Add more Binary Metadata with additional reporting
• A location with all of the drivers from the project. One stop shop.
• Edit YAMLs on the Streamlit app.
• Detailed driver descriptions.

Q&A

Why LOLDrivers and not BYOVD?

Matt Graeber and I had started a collection of vulnerable drivers 2–3 years ago and I really like the name LOLDrivers that we coined. It happened to just stick. Don’t worry, they can be used synonymously.

Why did it take so long to get this done?

Time! And we probably rebuilt it 3 times.

A driver is missing!

Yes — that is why you are here! Ship a PR, or open a GitHub Issue and we will get it added!