Scan LoL drivers with AutoRuns PowerShell Module

You may have recently seen the InfoSec community effort to provide more info on Living Off The Land Drivers

Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.

If you’ve the Autoruns module, do you know that you can quickly identify if you’ve a LoLDriver running on your system?

The identification will be made on SHA256 thumbprints of the drivers found on the current operating system. If there’s a match with any of the SHA256 thumprints of LoL drivers, the Autoruns is listed in the output. There’s even a switch to get the Lol driver object instead of the Autoruns one.

Here’s how to achieve that using a small script:

	#Requires -Module AutoRuns
	[CmdletBinding()]
	Param(
	[switch]$ShowLolDriverInfo
	)
	Begin {
	$HT = @{
	Method = 'Get'
	UseBasicParsing = [switch]::Present
	Uri = 'https://www.loldrivers.io/api/drivers.json'
	Verbose = $false
	ErrorAction = 'Stop'
	}
	try {
	$JsonData = Invoke-RestMethod @HT
	} catch {
	Write-Warning -Message "Failed to get data about drivers because $($_.Exception.Message)"
	}
	}
	Process {}
	End {
	if ($JsonData) {
	$AutorunsServices = Get-PSAutorun -ServicesAndDrivers -ShowFileHash
	$AutorunsServices.SHA256 | Sort-Object -Unique |
	ForEach-Object {
	if ($_ -in ($JsonData.KnownVulnerableSamples.SHA256 | Sort-Object -Unique)) {
	$sha2 = $_
	if ($ShowLolDriverInfo) {
	$JsonData | Where-Object { $sha2 -in $_.KnownVulnerableSamples.SHA256 }
	} else {
	$AutorunsServices | Where-Object { $_.SHA256 -eq $sha2 }
	}
	}
	}
	}
	}

view raw ScanLoLDrivers.ps1 hosted with ❤ by GitHub

Well, it seems I’ve at least one on my system.

Let’s see it’s LoL driver info with the ShowLolDriverInfo switch:

If you don’t get any output, you don’t have any currently known LoL driver on your system 😎