LOLDrivers Lacework LQL Detection

  • 8 September 2023
  • 0 replies
  • 405 views

Hey everyone,

I wanted to share something valuable with the community, especially since a few customers have inquired about this recently. We all know the significance of staying a step ahead in the cybersecurity landscape, and this is a step in that direction.

LOLDrivers is a well-curated list of Windows drivers that adversaries commonly use to bypass security measures and execute attacks. It has been used quite often by many threat actors: https://cybernews.com/security/bring-your-own-vulnerable-driver-attack/.

I've crafted a script that automatically fetches the latest malicious hashes from the LOLDrivers project and builds an LQL rule, which can be seamlessly deployed in your Lacework environment. This script serves as a tool to monitor and detect malicious drivers in real-time within your infrastructure.

Here's how you can integrate this into your Lacework setup:

1. Get the Script: Grab the script from this link.
   
2. Deploy the LQL Rule: Use the Lacework CLI with the following command to run the query:

lacework query run --start "-120d@d" --end "@h" -f LOLDriver_Malicious_Hashes.yaml

3. Automation: Consider setting up this script as a cron job or a similar automated task to create a new rule daily or weekly. This way, your rules are always updated, enhancing your security posture.

Also, don't forget to check out the sister projects https://lolol.farm/ , for more resources.

Happy hunting 🕵!

Agent

Windows 1.4-1.7

Platform

Using Lacework/Operationalizing

Cloud

AWS


0 replies

Be the first to reply!

Reply