Add BYOD (Bring-Your-Own-Driver) detection module and signatures

[wmetcalf]

Overview

Adds detection for Bring-Your-Own-Driver (BYOD / BYOVD) attacks where a sample loads a kernel driver — typically a known-vulnerable signed driver from the LOLDrivers catalog — to bypass EDR/AV protection.

Two parts:

1. Processing module (modules/processing/loldrivers.py) walks the per-task Sysmon EVTX (EID 1/5/6/11) and System log (EID 7045) extracted from evtx/evtx.zip, classifies driver loads against the LOLDrivers feed, and correlates post-load exploitation activity against a security-tools catalog.

2. Four signatures (modules/signatures/all/byod.py) consuming that output:

   Signature	Fires on
   byod_loldrivers_match	Tiered LOLDrivers hit — SHA256 (critical) → signer+filename (high) → filename (medium). Capped at severity 3 when the driver IS the analyst-submitted sample.
   byod_novel_driver	Unsigned/non-system driver heuristics (suspicious path, missing/invalid signature, dropper lineage, matching service install)
   byod_post_load_exploitation	Driver load followed by termination of EDR/AV/sandbox tooling — Sysmon EID 5 within a 120s window OR executed-command kill verbs (taskkill/Stop-Process/wmic delete) attributed against a 406-entry security-tools catalog
   byod_driver_service_install	Sample-attributed kernel-mode driver service install (filters legit Windows driver installs)

Files

File	Purpose
modules/processing/loldrivers.py	EVTX walker + tiered match + novel-driver heuristics + exploitation correlation
modules/signatures/all/byod.py	4 signatures consuming processing output
data/security_tools.json	406-entry exe → {tool, vendor, category} catalog (12 categories: EDR, AV, NetworkAnalysis, Sysinternals, ReverseEngineering, etc.)
utils/fetch_loldrivers.py	Admin-run fetcher for the LOLDrivers feed (chunked stream, atomic replace, schema check)
.gitignore	Excludes the fetched data/loldrivers.json (~30 MB, too large for git)

False-positive resistance

byod_driver_service_install gates on three sample-attributable signals (any one is sufficient):

• sample_under_test — driver basename equals the submitted sample's basename
• created_by_sample — Sysmon EID 11 ties the .sys creation to a monitored process
• service_invoked_by_sample — executed_commands contains sc create/sc start against the driver's path or basename

Path-based gating (Temp/AppData/etc.) was deliberately rejected — the analyzer drops user-uploaded samples into the same paths it would match, so an analyst submitting a raw .sys to scan would FP. The cmdline-attribution branch catches the loader/dropper pattern (where the .sys is extracted by the analyzer rather than written by a monitored process, and the basename differs from the submission name) without firing on raw .sys submissions.

The post-load cmdline kill correlation runs once per analysis (not per driver-load) and only emits when at least one driver actually loaded — so a non-BYOD sample running taskkill in isolation won't trigger byod_post_load_exploitation.

Installation

The LOLDrivers feed (~30 MB, ~620 driver entries, ~2000 sample hashes) is too large to commit. Fetch on demand:

```
poetry run python utils/fetch_loldrivers.py
```

The fetcher streams in 1 MiB chunks to <dest>.tmp, validates the JSON shape and presence of KnownVulnerableSamples, and atomically swaps in via os.replace. The data/security_tools.json catalog ships in the PR.

If the feed is missing or malformed at processing time, the module logs a WARNING/ERROR and disables itself gracefully — the other three signatures continue to work via heuristics.

Enable in processing.conf:
```
[loldrivers]
enabled = yes
```

Test plan

End-to-end validated on a live CAPE deployment:

• CAPE detonation of RTCore64.sys (a well-known LOLDriver, signed by Micro-Star International) wrapped in a .bat loader doing sc create RTCore64Test binPath= "...\Temp\RTCore64.sys" type= kernel + sc start + taskkill /F /IM MsMpEng.exe — all 4 BYOD signatures fired with correct attribution and severities
• Raw .sys analyst submission (no loader) — driver never loads, 0 BYOD signals (correct, no FP)
• Missing data/loldrivers.json — graceful WARNING, 3 of 4 sigs still fire via heuristics
• Malformed feed (JSON dict instead of list) — graceful ERROR, 3 of 4 sigs still fire
• Malformed feed (list with junk entries mixed in) — junk entries skipped, valid entries parsed, all 4 sigs fire
• FP corpus check on 20 prior tasks (no driver loads) — 0 false-positive fires

Notes

• Requires python-evtx (already a CAPE dependency).
• Processing module is registered with order = 11 to run after sysmon (10) and before signatures.

[gemini-code-assist]

Code Review

This pull request introduces a BYOD (Bring-Your-Own-Driver) detection system, including a processing module for Sysmon/System log analysis, a suite of signatures, and a utility to fetch the LOLDrivers catalog. Feedback addresses a potential parsing failure with high-precision Sysmon timestamps, recommends explicit UTF-8 encoding for file I/O, and suggests sanitizing ZIP entry paths to prevent traversal vulnerabilities.

[gemini-code-assist]

Sysmon timestamps often include more than 6 digits of fractional seconds (e.g., 7 digits). datetime.strptime with %f only supports up to 6 digits, and fromisoformat (in Python versions prior to 3.11) also has strict limits. This will cause a ValueError when parsing such records. Truncating the fractional seconds to 6 digits before parsing is a safer approach.

Suggested change

	for fmt in ("%Y-%m-%d %H:%M:%S.%f", "%Y-%m-%d %H:%M:%S"):
	if "." in s:
	base, frac = s.split(".", 1)
	s = f"{base}.{frac[:6]}"
	for fmt in ("%Y-%m-%d %H:%M:%S.%f", "%Y-%m-%d %H:%M:%S"):

[gemini-code-assist]

It is recommended to specify the encoding (e.g., utf-8) when opening the JSON feed to ensure consistent behavior across different platforms and locales.

Suggested change

	with open(LOLDRIVERS_PATH) as f:
	with open(LOLDRIVERS_PATH, encoding="utf-8") as f:

[gemini-code-assist]

It is recommended to specify the encoding (e.g., utf-8) when opening the JSON feed to ensure consistent behavior across different platforms and locales.

Suggested change

	with open(SECURITY_TOOLS_PATH) as f:
	with open(SECURITY_TOOLS_PATH, encoding="utf-8") as f:

[gemini-code-assist]

zipfile.extract() does not inherently prevent path traversal if the ZIP file contains absolute paths or paths with ... While the source of the ZIP is internal to the sandbox, it is a security best practice to sanitize the filename using os.path.basename to ensure files are extracted only into the target directory.

Suggested change

	extracted_path = zf.extract(info, target_dir)
	info.filename = os.path.basename(info.filename)
	extracted_path = zf.extract(info, target_dir)

[Copilot]

Pull request overview

Adds BYOD (Bring-Your-Own-Driver / BYOVD) detection to the analysis pipeline by introducing a processing module that correlates EVTX driver-load telemetry against the LOLDrivers catalog and post-load “security tool kill” activity, plus signatures that surface these findings.

Changes:

• New processing module (loldrivers) that parses evtx/evtx.zip, matches loaded drivers against a LOLDrivers feed, and correlates post-load exploitation activity using a shipped security-tools catalog.
• New BYOD signature pack (4 signatures) consuming results["loldrivers"].
• New admin fetcher for the LOLDrivers feed + .gitignore update; adds data/security_tools.json catalog.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
utils/fetch_loldrivers.py	Adds a downloader/validator for the external LOLDrivers JSON feed.
modules/processing/loldrivers.py	Implements EVTX parsing, tiered matching, heuristics, and exploitation correlation for BYOD.
modules/signatures/all/byod.py	Adds 4 signatures to emit detections based on results["loldrivers"].
data/security_tools.json	Adds a shipped exe→tool/vendor/category catalog for post-load correlation.
.gitignore	Ignores the large fetched data/loldrivers.json feed file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

samples = sum(len(e.get(...)) for e in parsed) assumes every element is a dict; if the feed contains non-dict entries this raises AttributeError and the fetcher crashes even though you handle malformed entries elsewhere. Filter to isinstance(e, dict) (or default {}) when counting samples so the script can still reject/accept based on actual usable entries.

[Copilot]

_filetime_to_dt() won’t parse the 7-digit fractional seconds commonly found in EVTX SystemTime values (e.g. ...16:57:01.1234567Z), because %f only supports up to 6 digits and fromisoformat() has the same limitation. This will cause time-based correlation (EID 5 within 120s) to silently fail. Consider normalizing timestamps by truncating fractional seconds to 6 digits (or using a parser that supports 100ns precision) before calling strptime/fromisoformat.

[Copilot]

_extract_evtx() uses ZipFile.extract() on archive members without validating the member path or rejecting symlinks. Because evtx.zip originates from the guest, this can enable zip-slip (write outside the temp dir) and symlink attacks. modules/processing/sigma.py already implements safe extraction checks for this same archive; it’d be safer to reuse that approach here (realpath prefix check, reject symlinks, and total uncompressed-size guard).

Suggested change

	try:
	with zipfile.ZipFile(zip_path) as zf:
	for info in zf.infolist():
	if any(f.lower() in info.filename.lower() for f in name_filters):
	total_extracted += info.file_size
	if total_extracted > max_size:
	log.warning("evtx zip extraction exceeded %d bytes, aborting", max_size)
	break
	extracted_path = zf.extract(info, target_dir)
	paths.append(extracted_path)
	target_dir_real = os.path.realpath(target_dir)
	try:
	with zipfile.ZipFile(zip_path) as zf:
	for info in zf.infolist():
	if not any(f.lower() in info.filename.lower() for f in name_filters):
	continue
	total_extracted += info.file_size
	if total_extracted > max_size:
	log.warning("evtx zip extraction exceeded %d bytes, aborting", max_size)
	break
	# Reject symlink entries from untrusted archives.
	mode = (info.external_attr >> 16) & 0o177777
	if (mode & 0o170000) == 0o120000:
	log.warning("skipping symlink in evtx zip: %s", info.filename)
	continue
	extracted_path = os.path.realpath(os.path.join(target_dir_real, info.filename))
	if extracted_path != target_dir_real and not extracted_path.startswith(target_dir_real + os.sep):
	log.warning("skipping unsafe evtx zip member path: %s", info.filename)
	continue
	if info.is_dir():
	os.makedirs(extracted_path, exist_ok=True)
	continue
	os.makedirs(os.path.dirname(extracted_path), exist_ok=True)
	with zf.open(info) as src, open(extracted_path, "wb") as dst:
	while True:
	chunk = src.read(1024 * 1024)
	if not chunk:
	break
	dst.write(chunk)
	paths.append(extracted_path)

[Copilot]

_is_sample_being_analyzed() only compares the driver basename to results.target.file.name. If the submitted sample is foo.sys and the analysis also loads a different foo.sys from elsewhere, this will incorrectly mark it as sample_under_test and cap severity. Since the driver SHA256 is already extracted (and results.target.file.sha256 exists in other modules), compare hashes when available and only fall back to basename when hashes are missing.

[Copilot]

The module attempts to extract System log events (EID 7045) from evtx/evtx.zip via name_filters=["_System.evtx"], but the analyzer-side EVTX dump currently only includes Microsoft-Windows-Sysmon%4Operational.evtx (see analyzer/windows/modules/auxiliary/sysmon.py). As a result, system_records/service_installs will always be empty in the default setup, and the byod_driver_service_install signature won’t fire. Consider either (a) updating the EVTX collection to include System.evtx, or (b) adjusting the processing module to detect installs via available telemetry when System.evtx isn’t present (and/or fix the filename filter to match System.evtx).