Skip to content

Microsoft Shares Resources for BlackLotus UEFI Bootkit Hunting “Boosting Your Energy Levels During the Day” “Enhancing Your Energy Throughout the Day”

Microsoft recently released details on how threat hunters can detect BlackLotus bootkit infections in their systems. This notorious bootkit, first discovered in late 2022, grants advanced capabilities that are on par with those of nation-states, such as bypassing secure boot, disabling UAC, and evading hypervisor-protected code integrity, BitLocker, and Microsoft Defender. The bootkit takes advantage of a Windows vulnerability (CVE-2022-21894) which has been known since August 2022 and has a readily available proof-of-concept code.

Despite the bootkit’s stealthiness and numerous evasion capabilities, it does leave behind specific artifacts that security teams can hunt for. Microsoft has published details on how a BlackLotus infection can be identified, including newly created bootloader files, any created staging directory artifacts, modified registry keys, network behavior, and generated Windows Event and Boot Configuration log entries. Threat hunters should observe these artifacts in tandem with others to eliminate false positives and increase the chances of identifying infections.

BlackLotus locks down the files it writes to the EFI system partition (ESP), making them inaccessible. However, their names, creation times, and the error message received when accessing them should indicate the bootkit’s presence, as does the presence of a custom directory created during installation but not deleted. Other artifacts associated with the bootkit include a specific registry key modification, log entries generated when BlackLotus disables Microsoft Defender or adds components to the boot cycle, and a persistent winlogon.exe outbound network connection on port 80.

Microsoft recommends that if a device is determined to have been infected with BlackLotus, it should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition.

Key Points:

  • BlackLotus bootkit provides nation-state-level capabilities.
  • Specific artifacts associated with BlackLotus can be identified by threat hunters.
  • Artifacts include newly created bootloader files, modified registry keys, and generated Windows Event and Boot Configuration log entries.
  • Error messages and a persistent outbound network connection on port 80 can also indicate an infection.
  • Microsoft recommends removing the infected device from the network and reformatting it or restoring from a clean backup.

Leave a Reply

Your email address will not be published. Required fields are marked *