{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/efi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2024-7344"}],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["bootkit","persistence","efi","bootloader","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies suspicious activity related to the modification of EFI bootloader files on Windows systems. The EFI bootloader files, specifically \u003ccode\u003ebootmgfw.efi\u003c/code\u003e and \u003ccode\u003ebootx64.efi\u003c/code\u003e located in the \u003ccode\u003e\\EFI\\Boot\\\u003c/code\u003e directory, are critical components responsible for initializing the Windows Boot Manager during system startup. Modification or replacement of these files is highly unusual under normal circumstances. Such activity may indicate an attacker\u0026rsquo;s attempt to install a bootkit, establish persistence for malicious code at the firmware level, or otherwise compromise the integrity of the system\u0026rsquo;s boot process. The referenced HybridPetya ransomware and CVE-2024-7344 highlight the real-world threat of bootloader modification for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an existing vulnerability or compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain necessary permissions to modify system files.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the EFI bootloader files (\u003ccode\u003ebootmgfw.efi\u003c/code\u003e or \u003ccode\u003ebootx64.efi\u003c/code\u003e) in the \u003ccode\u003e\\EFI\\Boot\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the bootloader file, potentially injecting malicious code or replacing it with a compromised version.\u003c/li\u003e\n\u003cli\u003eThe system is rebooted, and the modified bootloader executes, initiating the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload gains control early in the boot process, bypassing security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, allowing them to maintain control over the system even after reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the EFI bootloader can result in a complete compromise of the affected system. Attackers can use this technique to install persistent malware, bypass security measures, and potentially gain control over the entire network. This can lead to data theft, system disruption, and other malicious activities. While specific victim numbers are unavailable, the criticality of the boot process means any successful attack can have severe consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 logging to monitor file creation events and activate the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWindows EFI Bootloader File Modification\u003c/code\u003e to your SIEM and tune it for your environment to detect bootloader modifications.\u003c/li\u003e\n\u003cli\u003eReview the references provided, including the Bleeping Computer article and the ESET research on CVE-2024-7344, for additional context on bootloader attacks.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule immediately, as they could indicate a serious compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-efi-bootloader-modification/","summary":"A process writing to critical EFI bootloader files (bootmgfw.efi or bootx64.efi) within the \\EFI\\Boot\\ directory may indicate a bootkit installation, malicious code persistence at the firmware level, or tampering with the system boot process.","title":"Windows EFI Bootloader File Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-efi-bootloader-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["efi","mountvol","windows","persistence","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection identifies attempts to mount the EFI volume on Windows systems using the \u003ccode\u003emountvol.exe\u003c/code\u003e utility. The EFI system partition (ESP) is a special partition crucial for system booting. Unauthorized modification of the ESP can compromise system integrity, allowing attackers to modify the system on boot. This technique is associated with attacks like PKFail. The scope of this threat involves potential compromise of Windows systems and the ability to modify the boot process for malicious purposes, affecting system integrity and security. The detection leverages process monitoring to identify suspicious use of \u003ccode\u003emountvol.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through social engineering or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emountvol.exe\u003c/code\u003e with the \u003ccode\u003e-S\u003c/code\u003e or \u003ccode\u003e/S\u003c/code\u003e parameter to mount the EFI volume.\u003c/li\u003e\n\u003cli\u003eThe attacker gains write access to the EFI system partition.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies bootloaders or other EFI executables.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malicious drivers or backdoors into the EFI partition.\u003c/li\u003e\n\u003cli\u003eThe system is rebooted, triggering the malicious code within the EFI partition.\u003c/li\u003e\n\u003cli\u003eThe malicious code compromises the operating system during the boot process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent malware installation, allowing attackers to maintain control over the compromised system even after reboots or OS reinstalls. The impact includes potential data theft, system corruption, and the ability to install rootkits that are difficult to detect. If successful, the attacker can gain complete control over the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect EFI Volume Mount via Mountvol\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003emountvol.exe\u003c/code\u003e being executed with the \u003ccode\u003e-S\u003c/code\u003e or \u003ccode\u003e/S\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the parent processes and user accounts involved.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on the EFI system partition to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for signs of EFI-based rootkits or other malicious modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-efi-volume-mount/","summary":"Detection of attempts to mount the EFI volume on Windows systems using mountvol.exe, potentially leading to system compromise.","title":"Windows EFI Volume Mount Attempt via Mountvol","url":"https://feed.craftedsignal.io/briefs/2024-01-03-efi-volume-mount/"}],"language":"en","title":"CraftedSignal Threat Feed — Efi","version":"https://jsonfeed.org/version/1.1"}