LOLDrivers
Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.
curl -s https://www.loldrivers.io/api/drivers.json | jq ⚠ The Problem
Attackers use vulnerable Windows drivers (BYOVD - Bring Your Own Vulnerable Driver) to bypass security controls, disable EDR, and gain kernel-level access. Tracking these drivers was fragmented and incomplete.
✓ The Solution
LOLDrivers provides a comprehensive, community-maintained database of vulnerable and malicious Windows drivers with detection rules for Sysmon, YARA, Sigma, and SIEM platforms.
⚡ Impact
Used by security teams worldwide for driver blocklisting and detection. Integrated into Microsoft Defender, Splunk, and other major security tools. The definitive resource for BYOVD defense.
Overview
LOLDrivers (Living Off The Land Drivers) is a community-driven project that catalogs Windows drivers abused by adversaries. It’s the sister project to LOLBAS and GTFOBins.
Features
- Comprehensive Database: Hundreds of vulnerable and malicious drivers cataloged
- Detection Rules: Pre-built Sysmon configs, YARA rules, and Sigma rules
- API Access: JSON and CSV exports for integration
- SIEM Queries: Ready-to-use queries for Splunk, Microsoft Defender, and more
Integrations
LOLDrivers is integrated into:
- Microsoft Defender
- Splunk Security Content
- Velociraptor
- Nessus
- Various EDR platforms
Credit
Co-founded by Michael Haag. Part of the MagicSword.io family of security projects.
Start blocking vulnerable drivers
Related Modules
AppLockerGen
AppLocker Policy Generator. Create and manage AppLocker policies programmatically.
ASRGEN
ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.
AtomicLua
A combination of OffensiveLua and Learning Lua - By Defenders, for Defenders.