Detection rules › Kusto
Detect LolDriver drop or load from unknown or unsigned process
Adversaries may use LolDrivers to elevate their privileges on a system. Regularly, their drop their own LolDrivers from their beacon process when the LolDriver is not yet present on the system. This is a detection use case to detect an unknown process dropping these LolDrivers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1068 Exploitation for Privilege Escalation |
References
Event coverage
| Provider | ActionType | Title |
|---|---|---|
| Defender-DeviceEvents | any | Defender event (any) |
Rule body yaml
let LOLDrivers = externaldata(Category:string, KnownVulnerableSamples:dynamic, Verified:string ) [h@"https://www.loldrivers.io/api/drivers.json"]
with (
format=multijson,
ingestionMapping=@'[{"Column":"Category","Properties":{"Path":"$.Category"}},{"Column":"KnownVulnerableSamples","Properties":{"Path":"$.KnownVulnerableSamples"}},{"Column":"Verified","Properties":{"Path":"$.Verified"}}]'
)
| mv-expand KnownVulnerableSamples
| extend SHA1 = tostring(KnownVulnerableSamples.SHA1), SHA256 = tostring(KnownVulnerableSamples.SHA256)
;
let SHA1List = toscalar(
LOLDrivers
| summarize make_set(SHA1)
);
let SHA256List = toscalar(
LOLDrivers
| summarize make_set(SHA256)
);
let device_events = (
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "DriverLoaded"
| where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List )
);
let device_file_events = (
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List )
);
union device_events, device_file_events
| invoke FileProfile(InitiatingProcessSHA1)
| where GlobalPrevalence < 1000 or SignatureState =~ "Unsigned"
Stages and Predicates
Let binding: LOLDrivers
let LOLDrivers = externaldata(Category:string, KnownVulnerableSamples:dynamic, Verified:string ) [h@"https://www.loldrivers.io/api/drivers.json"]
with (
format=multijson,
ingestionMapping=@'[{"Column":"Category","Properties":{"Path":"$.Category"}},{"Column":"KnownVulnerableSamples","Properties":{"Path":"$.KnownVulnerableSamples"}},{"Column":"Verified","Properties":{"Path":"$.Verified"}}]'
)
| mv-expand KnownVulnerableSamples
| extend SHA1 = tostring(KnownVulnerableSamples.SHA1), SHA256 = tostring(KnownVulnerableSamples.SHA256);
Let binding: SHA1List
let SHA1List = toscalar(
LOLDrivers
| summarize make_set(SHA1)
);
Derived from LOLDrivers.
Let binding: SHA256List
let SHA256List = toscalar(
LOLDrivers
| summarize make_set(SHA256)
);
Derived from LOLDrivers.
Let binding: device_events
let device_events = (
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "DriverLoaded"
| where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List )
);
Derived from SHA1List, SHA256List.
Let binding: device_file_events
let device_file_events = (
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List )
);
Derived from SHA1List, SHA256List.
union (2 sources)
Each leg below queries one source; the rule matches if any leg does. Sources: device_events, device_file_events
Leg 1: device_events
Leg 2: device_file_events
Applied to the combined result
| invoke FileProfile(InitiatingProcessSHA1) | where GlobalPrevalence < 1000 or SignatureState =~ "Unsigned"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
GlobalPrevalence | lt |
|
SHA1 | in |
|
SHA256 | in |
|
SignatureState | eq |
|