Living Off The Land Drivers 1.0 Release: New Features, Enrichments, and Community Contributions

First — We want to thank everyone for the feedback and comments! We really appreciate it.

Introduction

Since its inception, the Living Off The Land Drivers (LOLDrivers) project has seen tremendous growth and success. As a reminder, the project aims to provide a comprehensive and well-maintained repository of drivers with known vulnerabilities or malicious behaviors. With the 1.0 release, we are excited to introduce several new features, driver enrichment and updates that make it even more valuable for analysts and researchers. In this blog post, we’ll walk you through these enhancements and celebrate some of the milestones that the project has achieved. If you haven’t already, we recommend reading the original blog post announcing the project for more context on its purpose and goals.

Project Milestones

Our first contribution came less than 24 hours after announcing the project, thanks to the efforts of Rastamouse. Since then, the LOLDrivers website has seen 4.8k new users, with the LenovoDiagnosticsDriver.sys being the most visited driver. In the last 30 days alone, 13 new drivers were added to the repository by contributors. We are thrilled with the community’s response and grateful for the continued contributions that help make the project even better.

Community

Before diving into the list of release items, we’d like to highlight the community’s response. This includes tweets, publications, projects, and other instances where the LOLDrivers project has been utilized or mentioned.

A LOLDrivers Client

LOLDrivers-client.exe -m [MODE] [OPTIONS]

Modes:
    online    Download the newest driver set (default)
    local     Use a local drivers.json file (requires '-f')
    internal  Use the built-in driver set (can be outdated)

Options:
    -d Directory to scan for drivers (default: Windows Default)
    -f File path to 'drivers.json' for mode 'local'
    -t Number of threads to spawn (default: 20)
    -v Print verbose messages (default: false)
    -h Shows this text

• https://github.com/rtfmkiesel/loldrivers-client

Thor and Loki

• https://github.com/Neo23x0/signature-base/blob/master/iocs/hash-iocs.txt#L10827
• https://github.com/Neo23x0/Loki/releases

KQL

• https://github.com/0xjxd/KQL-Hunting/blob/main/MDE-LOLDRIVERS.kql

Velociraptor

• https://github.com/mgreen27/DetectRaptor/blob/master/vql/LolDrivers.yaml

PowerShell Scan for LOLDrivers

• https://github.com/rweijnen/Posh-Snippets/blob/master/ScanLolDrivers.ps1

Awesome-Malware-Techniques

• https://github.com/fr0gger/Awesome_Malware_Techniques

Detection Engineering Weekly

SANS Internet Storm Center

• https://isc.sans.edu/podcastdetail.html?id=8444

#100daysofyara

• https://gist.github.com/schrodyn/45eab4f9229f116e2cfd2c427a84fdd6

1.0 Release Highlights

1. New Driver Enrichments

In this release, we have added a new section for each driver that includes all the extremely valuable driver metadata utilizing our new metadata-extractor. For example, the addition of the Authentihash provides an efficient way to uniquely identify and validate files. Other metadata fields include file hashes (MD5, SHA1, and SHA256), signature, date, publisher, company, description, product, product version, file version, machine type, original filename, internal name, copyright, imports, exported functions, and PDB path. These enrichments help analysts and researchers better understand and investigate the drivers in our repository.

The JSON and CSV files now include all the new attributes. If you want the raw YAML head on over here YAML.

We also added a a list of all Authentihashes collected here

All the Options

First you now notice each driver has all the metadata added

As you scroll down on the driver page, you will now see driver imports, exports and all the signature information

The raw YAML contains every attribute:

2. Driver Binaries under the drivers/ directory

We have begun using Git LFS to store the drivers in the drivers/ directory. Each release will now feature a drivers.zip file containing all of these binaries. This enables analysts to conveniently download and analyze all of the drivers within the project. The binaries are named according to the <md5>.bin format of the file.

3. Changed to UUID instead of Driver Names

While working with the repository and reviewing the sigma rule based on driver names, we recognized that duplicate names might occur as the project expands over time. We decided to modify the scheme by adopting UUIDs and assigning driver names as tags. This update allows for an infinite set of drivers. Moreover, if the original driver name is unknown, we will utilize the original file name attribute.

The main difference is the URLs will be based on the UUID — https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/

4. Elastic Drivers Add

Nasreddine took a deep dive into the Elastic driver yara set and was able to produce a spreadsheet totaling 740+ total drivers. We used a VTI query to gather all the metadata and produce a csv output and then followed that up with downloading all the drivers and adding to the project!

VirusTotal Enrichment Script: https://gist.github.com/nasbench/93b55c1fbe01d8341b7c9ed80a80ebbc

Enriched data spreadsheet: https://docs.google.com/spreadsheets/d/1lTNqD2t9UbFOLQbNWeLVbN8XCK8Dd72XavEQrkvtZVY/edit?usp=sharing

Nasreddine then provided a massive PR with the driver binaries and a full set of new yaml files.

• https://github.com/magicsword-io/LOLDrivers/pull/63

5. Updated loldrivers.io

The LOLDrivers website has been updated to include new metadata and links to the latest binaries. The landing page now displays the SHA256 hashes of the drivers, further simplifying navigation and information retrieval for users.

6. Updated Validation CI Job with a YAML Spec

To maintain consistency and automatically validate/report on any YAML construction issues, we have updated the validation CI job with a jsonschema spec. This improvement helps streamline the process when a PR is created by someone in the community. We appreciate and welcome all community contributions!

7. Added Release CI Job

We have added a release CI job to create project releases. This allows us to have snapshot-in-time builds as we improve the project. The CI job also creates the driver.zip file and includes release notes, making it even easier to stay informed about the project’s progress.

8. New Drivers Added via Community Contributions

The community has been actively contributing to the project, and we’d like to highlight some of the new drivers added:

- dcr.sys

- SSPORT.sys

- LgCoreTemp.sys

- bedaisy.sys

- RTCore64.sys (New Hashes)

- hw.sys (New Hashes)

- windbg.sys

- Add Hash to Sense5Ext.sys

- Add KApcHelper_x64.sys

- Add mJj0ge.sys

- Add prokiller64.sys

- Add fur.sys

- procexp152.sys

Thank you to all the contributors who have helped expand the scope of the LOLDrivers project!

Conclusion

The 1.0 release of the Living Off The Land Drivers project brings numerous enhancements and updates, making it an even more valuable resource for analysts and researchers. We are grateful for the community’s ongoing support.

A Huge Thank You to Our Community and Maintainers!

We would like to extend our heartfelt thanks to the community members who have contributed to the project: goosvorbook, hRun, VoidSec, Wack0, X90e, hfiref0x and BlureL. Your dedication and effort have been instrumental in the growth and success of LOLDrivers. We also want to recognize the invaluable work of the project maintainers: Nas, Mike, and Jose. Their commitment and hard work continue to drive the project forward and make it an essential resource for the security community.

Thank you all for your contributions, and we look forward to seeing the project continue to grow and evolve with your support!