Query Details
MDE Asr Vulnerable Signed Driver Blocked
Query
# Defender for Endpoint - AsrVulnerableSignedDriverBlocked - LolDrivers Lookup
## Query Information
### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068/ |
### Description
The below query pulls the data from the loldrivers.io dataset and joins it with [AsrVulnerableSignedDriverBlocked](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) events both on SHA1 and SHA256 values since there are some missing SHA1 or SHA256 values in LOLDrivers.
#### References
- [Detecting Vulnerable Drivers (LOLDrivers) the Right Way Using Microsoft Defender for Endpoint](https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql)
- [Block abuse of exploited vulnerable signed drivers](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers)
- [Strategies to monitor and prevent vulnerable driver attacks](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985)
### Author
- **Alex Verboon**
### Credits
- [Mehmet Ergene](https://x.com/Cyb3rMonk) who wrote the original query published [here](https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql), all I did was replace the Actiontype from ***DriverLoad*** to ***AsrVulnerableSignedDriverBlocked***
## Defender XDR
```kql
let LOLDrivers = externaldata (Category:string, KnownVulnerableSamples:dynamic, Verified:string ) [h@"https://www.loldrivers.io/api/drivers.json"]
with (format=multijson, ingestionMapping='[{"Column":"Category","Properties":{"Path":"$.Category"}},{"Column":"KnownVulnerableSamples","Properties":{"Path":"$.KnownVulnerableSamples"}},{"Column":"Verified","Properties":{"Path":"$.Verified"}}]')
| mv-expand KnownVulnerableSamples
| extend SHA1 = tostring(KnownVulnerableSamples.SHA1), SHA256 = tostring(KnownVulnerableSamples.SHA256)
;
DeviceEvents
| where ActionType == @"AsrVulnerableSignedDriverBlocked"
| project Timestamp, DeviceName, FileName, SHA256,SHA1, FolderPath
| join kind=inner (LOLDrivers | where isnotempty(SHA256)) on SHA256
| union (
DeviceEvents
| where ActionType == @"AsrVulnerableSignedDriverBlocked"
| join kind=inner (LOLDrivers | where isnotempty(SHA1)) on SHA1
)
```
Explanation
This KQL query is designed to detect and analyze events related to vulnerable signed drivers that have been blocked by Microsoft Defender for Endpoint. Here's a simplified breakdown of what the query does:
-
Data Source: It pulls data from an external dataset called LOLDrivers, which contains information about known vulnerable drivers. This dataset is accessed via a JSON API.
-
Data Expansion: The query expands the list of known vulnerable samples from the LOLDrivers dataset to extract SHA1 and SHA256 hash values for each driver.
-
Event Filtering: It filters events from the
DeviceEventstable where the action type isAsrVulnerableSignedDriverBlocked. This action type indicates that a potentially harmful signed driver was blocked by the system. -
Data Joining: The query performs an inner join between the filtered
DeviceEventsand the LOLDrivers data based on the SHA256 hash values. If there are events with missing SHA256 values, it performs another join using SHA1 hash values. -
Output: The result is a combined dataset that shows which blocked driver events correspond to known vulnerable drivers from the LOLDrivers dataset. This helps in identifying and understanding potential security threats from vulnerable drivers.
Overall, the query is used to enhance security monitoring by correlating blocked driver events with a known list of vulnerable drivers, aiding in the detection and prevention of privilege escalation attacks.
Details
Alex Verboon
Released: February 23, 2026
Tables
Keywords
Operators