5 min read

These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers

Comprehensive guide to detecting Bring Your Own Vulnerable Driver (BYOVD) attacks and leveraging LOLDrivers for defense.

loldrivers byovd drivers kernel detection splunk

Originally published on the Splunk Security Blog
Read the full article: Detect and Prevent Malicious Drivers

The BYOVD Threat

Bring Your Own Vulnerable Driver (BYOVD) attacks allow attackers to:

  • Disable security tools - Kill EDR at kernel level
  • Elevate privileges - Kernel access = game over
  • Persist stealthily - Rootkit capabilities
  • Bypass protections - Operate below OS security

How BYOVD Works

  1. Attacker obtains vulnerable driver - Legitimately signed, known vulnerability
  2. Driver loaded on target - Often via service creation
  3. Vulnerability exploited - Arbitrary kernel read/write
  4. Security disabled - EDR processes terminated

LOLDrivers Project

LOLDrivers catalogs known vulnerable and malicious drivers with:

  • SHA256 hashes
  • YARA rules
  • Sigma rules
  • Sysmon configurations

Detection Strategies

Driver Load Events

index=sysmon EventCode=6
| lookup loldrivers_hashes sha256 AS Hashes OUTPUT driver_name, category
| where isnotnull(driver_name)
| table _time, Computer, ImageLoaded, driver_name, category

Service Creation for Drivers

index=windows EventCode=7045 ServiceType="kernel mode driver"
| table _time, Computer, ServiceName, ImagePath, AccountName

Known Vulnerable Driver Hashes

index=sysmon EventCode=6
| rex field=Hashes "SHA256=(?<sha256>[A-F0-9]{64})"
| lookup loldrivers sha256 OUTPUT name, category
| where isnotnull(name)

Prevention

Microsoft Vulnerable Driver Blocklist

Enable via Windows Security or Group Policy.

Application Control

Block untrusted drivers with:

  • WDAC (Windows Defender Application Control)
  • AppLocker (DLL rules)

Driver Signing Enforcement

Ensure only properly signed drivers load.

Resources

Read the full guide: Detect and Prevent Malicious Drivers

Related Modules

Active

LOLDrivers

Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.

drivers byovd detection windows +2
View Module → GitHub