-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Windows.LOLDriverScan #639
base: master
Are you sure you want to change the base?
Conversation
|
||
SELECT * FROM foreach( | ||
row={ | ||
SELECT Stdout FROM execve(argv=["Powershell", execute], length=1000000) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you dont really need to call powershell right? that project is written in go so it is just a binary.
tools: | ||
- name: LOLDriverScan | ||
url: https://github.com/FourCoreLabs/LolDriverScan/releases/download/v1.2/LolDriverScan_1.2_windows_amd64.zip | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also add an expected hash
@@ -0,0 +1,32 @@ | |||
name: Windows.LOLDriverScan | |||
description: LolDriverScan is a golang tool that allows users to discover vulnerable drivers on their system. This tool fetches the loldrivers.io list from their APIs and scans the system for any vulnerable drivers This project is implemented in Go and does not require elevated privileges to run. https://github.com/FourCoreLabs/LolDriverScan |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a quick look at this project and there are a number of issues with integrating it with Velociraptor
- the binary goes out to the lolbin api to get the list of hashes - this can be a problem when running as a hunt (having 100k endpoints hitting the API the same time can be fun on the gateway and the provider).
- The project seems very simple - it just grabs some hashes. It looks like a full VQL equivalent is fairly simple to do. In fact it looks very similar to Windows.System.Services - can we just leverage that one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW - I have a VQL hunt that looks at hashes in AMCache here https://github.com/mgreen27/DetectRaptor/blob/master/vql/LolDrivers.yaml
(I do need to refactor my build script to split it out a bit as the project is getting quite big nowdays)
Should be fairly easy to add in a services check too
No description provided.