UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing.
With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. Rapid7 has also released a white paper providing detailed information about how UEFI malware works and some of the most common types.
Background
Unified Extensible Firmware Interface, or UEFI, is the interface between a system’s hardware and its operating system (OS). The technology can be viewed as an updated BIOS capability to improve and add security to the boot process.
The two main types of UEFI persistence are:
Serial Peripheral Interface (SPI) basedFirmware payload implant that is resilient to even a hard disk format.Difficult to implement — there are risks associated with implementing and potentially bricking a machine if there are mistakes with the firmware.Difficult to detect at scale — defenders need to extract firmware which typically requires a signed driver, then running tools for analysis.Typically an analyst would dump firmware, then extract variables and other interesting files like PEs for deep dive analysis.2. EFI System Partition (ESP) based
A special FAT partition that stores bootloaders and sits late in the EFI boot process.Much easier to implement, only requiring root privileges and to bypass Secure Boot.Does not survive a machine format.EFI Secure ..
Support the originator by clicking the read the rest link below.
