11/6/2023 0 Comments Dart microsoft Dart system center![]() The files protected by the driver include, as originally listed by ESET:įigure 1: Evidence of recent modification dates and matching filenames of BlackLotus associated files on a BlackLotus infected device. The LastModified timestamps of the files in the ESP should be compared to each other the timestamps and filenames can also be compared against those in the OS partition under C:\Windows\Boot\EFI. Files with mismatched creation times, as well as those with names matching those protected by the BlackLotus kernel driver, should be considered suspicious (Figure 1). To determine if such files exist in the ESP, threat hunters can mount the boot partition (with the mountvol command-line utility, for example) to examine the creation dates of the files within. If recently modified and locked files are identified in the ESP on a device, especially those matching known BlackLotus bootloader filenames, these should be considered highly suspect and the devices should be removed from the network to be examined for further evidence of BlackLotus or follow-on activity. Recently created and locked bootloader filesīlackLotus writes malicious bootloader files to the EFI system partition (ESP) and subsequently locks them to protect them from deletion or tampering. Observing them in tandem with others, however, increases their significance in determining if a device has been infected. Many of these artifacts, when observed in isolation, are low fidelity. Boot Configuration log entries generatedĪs threat hunters begin examining environments, it is crucial to adopt a comprehensive hunting strategy across these artifacts to down-filter false positives and surface true positives.Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART), through forensic analysis of devices infected with BlackLotus, has identified multiple opportunities for detection along several steps in its installation and execution processes. Turn off Microsoft Defender Antivirus to avoid further detectionįor a comprehensive analysis of the BlackLotus installation process and follow-on actions, read this blog by ESET.Turn off Bitlocker to avoid tamper protection strategies on Windows.Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2).Turn off HVCI to allow deployment of a malicious kernel driver.Achieve persistence by enrolling the threat actor’s Machine Owner Key (MOK).The malware uses CVE-2022-21894 (also known as Baton Drop) to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware. It is not a first-stage payload or an initial access vector and can only be deployed to a device to which a threat actor has already gained either privileged access or physical access. It is critical to note that a threat actor’s use of this bootkit is primarily a persistence and defense evasion mechanism. Recovery and prevention strategies to protect your environment.Techniques to determine if devices in an organization are infected. ![]() Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |