Hey everyone,
I wanted to share something valuable with the community, especially since a few customers have inquired about this recently. We all know the significance of staying a step ahead in the cybersecurity landscape, and this is a step in that direction.
LOLDrivers is a well-curated list of Windows drivers that adversaries commonly use to bypass security measures and execute attacks. It has been used quite often by many threat actors: https://cybernews.com/security/bring-your-own-vulnerable-driver-attack/.
I've crafted a script that automatically fetches the latest malicious hashes from the LOLDrivers project and builds an LQL rule, which can be seamlessly deployed in your Lacework environment. This script serves as a tool to monitor and detect malicious drivers in real-time within your infrastructure.
Here's how you can integrate this into your Lacework setup:
1. Get the Script: Grab the script from this link.
2. Deploy the LQL Rule: Use the Lacework CLI with the following command to run the query:
lacework query run --start "-120d@d" --end "@h" -f LOLDriver_Malicious_Hashes.yaml
3. Automation: Consider setting up this script as a cron job or a similar automated task to create a new rule daily or weekly. This way, your rules are always updated, enhancing your security posture.
Also, don't forget to check out the sister projects https://lolol.farm/ , for more resources.
Happy hunting 🕵!
Agent
Windows 1.4-1.7
Platform
Using Lacework/Operationalizing
Cloud
AWS