Detect Lol Driver Drop Or Load From Unkown Process

# *Detect LolDriver drop or load from unknown or unsigned process* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068/ | #### Description Adversaries may use LolDrivers to elevate their privileges on a system. Regularly, their drop their own LolDrivers from their beacon process when the LolDriver is not yet present on the system. This is a detection use case to detect an unknown process dropping these LolDrivers. #### Risk This detection tries to detect malware dropping LolDrivers which they can then use for privilege escalation on the target system. #### Author <Optional> - **Name:** Robbe Van den Daele - **Github:** https://github.com/RobbeVandenDaele - **Twitter:** https://x.com/RobbeVdDaele - **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/ - **Website:** https://hybridbrothers.com/ #### References - https://thecollective.eu/ ## Defender XDR ```KQL let LOLDrivers = externaldata(Category:string, KnownVulnerableSamples:dynamic, Verified:string ) [h@"https://www.loldrivers.io/api/drivers.json"] with ( format=multijson, ingestionMapping=@'[{"Column":"Category","Properties":{"Path":"$.Category"}},{"Column":"KnownVulnerableSamples","Properties":{"Path":"$.KnownVulnerableSamples"}},{"Column":"Verified","Properties":{"Path":"$.Verified"}}]' ) | mv-expand KnownVulnerableSamples | extend SHA1 = tostring(KnownVulnerableSamples.SHA1), SHA256 = tostring(KnownVulnerableSamples.SHA256) ; let SHA1List = toscalar( LOLDrivers | summarize make_set(SHA1) ); let SHA256List = toscalar( LOLDrivers | summarize make_set(SHA256) ); let device_events = ( DeviceEvents | where Timestamp > ago(1h) | where ActionType == "DriverLoaded" | where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List ) ); let device_file_events = ( DeviceFileEvents | where Timestamp > ago(1h) | where ActionType == "FileCreated" | where SHA1 in ( SHA1List ) or SHA256 in ( SHA256List ) ); union device_events, device_file_events | invoke FileProfile(InitiatingProcessSHA1) | where GlobalPrevalence < 1000 or SignatureState =~ "Unsigned" ```

Explanation

This query is designed to detect suspicious activity related to the use of LolDrivers, which are drivers that adversaries might use to gain elevated privileges on a system. Here's a simple breakdown of what the query does:

Data Source: It pulls data from an external source (https://www.loldrivers.io/api/drivers.json) to get a list of known vulnerable drivers, referred to as LolDrivers. These drivers are identified by their SHA1 and SHA256 hashes.
Hash Lists: It creates two lists of hashes (SHA1 and SHA256) from the LolDrivers data to use for comparison.
Recent Events: It looks at device events from the past hour to find instances where a driver was loaded or a file was created. It checks if the SHA1 or SHA256 hash of these events matches any in the lists of known vulnerable drivers.
Process Verification: For any matching events, it checks the initiating process's profile to see if it is globally prevalent (used widely across many systems) or if it is unsigned. This helps identify potentially malicious processes that are not commonly seen or are not signed by a trusted source.
Output: The query outputs events where a LolDriver was dropped or loaded by an unknown or unsigned process, which could indicate malicious activity aimed at privilege escalation.

In summary, this query helps detect potential malware activity by identifying when known vulnerable drivers are used by suspicious processes on a system.

Details

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceEventsDeviceFileEvents

Keywords

DeviceEventsFileProfileSignatureStateTimestampActionTypeSHA1SHA256CategoryKnownVulnerableSamplesVerifiedGlobalPrevalence

Operators

letexternaldatawithformatingestionMappingmv-expandextendtostringtoscalarsummarizemake_setwhereinagounioninvoke=~

KQL Search