LOLDrivers and HVCI
Understanding the relationship between LOLDrivers and Hypervisor-Protected Code Integrity (HVCI) - how they work together to protect against driver-based attacks.
Originally published on Medium
Read the full article: LOLDrivers and HVCI
What is HVCI?
Hypervisor-Protected Code Integrity (HVCI) uses virtualization-based security to protect the Windows kernel from malicious code. It’s a powerful defense against BYOVD attacks.
How HVCI Helps
HVCI prevents:
- Loading unsigned drivers
- Driver code modifications
- Certain kernel exploits
The LOLDrivers Connection
Even with HVCI, defenders need LOLDrivers because:
Signed Drivers Still Load
HVCI blocks unsigned drivers. Vulnerable drivers with valid signatures still load.
Blocklist Maintenance
Microsoft’s driver blocklist needs continuous updates. LOLDrivers helps identify what should be blocked.
Detection Still Needed
HVCI is preventive. You still need detection for:
- Attempts to load vulnerable drivers
- Exploitation of loaded drivers
- Pre-HVCI systems
Defense in Depth
Best protection combines:
- HVCI - Prevent unsigned drivers
- Driver Blocklist - Block known-bad signed drivers
- LOLDrivers Detection - Alert on vulnerable driver activity
- Monitoring - Track driver loads and behavior
Recommendations
- Enable HVCI where possible
- Keep driver blocklist updated
- Implement LOLDrivers detections
- Monitor Sysmon Event ID 6
Read the full analysis: LOLDrivers and HVCI
Related Modules
LOLDrivers
Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.