Microsoft this week has shared information on how threat hunters can identify BlackLotus bootkit infections in their environments. Initially identified in late 2022, the bootkit provides nation-state-level capabilities that include user access control (UAC) and secure boot bypass, evasion, and disabling of protections, including hypervisor-protected code integrity (HVCI), BitLocker, and Microsoft Defender. To disable secure boot, the bootkit exploits a Windows vulnerability (CVE-2022-21894) for which proof-of-concept (PoC) code has been available since August 2022.
Despite the bootkit’s stealthiness and numerous evasion capabilities, it does leave behind specific artifacts that security teams can hunt for. Microsoft has published details on how a BlackLotus infection can be identified, including newly created bootloader files, any created staging directory artifacts, modified registry keys, network behavior, and generated Windows Event and Boot Configuration log entries. Threat hunters should observe these artifacts in tandem with others to eliminate false positives and increase the chances of identifying infections.
BlackLotus locks down the files it writes to the EFI system partition (ESP), making them inaccessible. However, their names, creation times, and the error message received when accessing them should indicate the bootkit’s presence, as does the presence of a custom directory created during installation but not deleted. Other artifacts associated with the bootkit include a specific registry key modification, log entries generated when BlackLotus disables Microsoft Defender or adds components to the boot cycle, and a persistent winlogon.exe outbound network connection on port 80.
Microsoft recommends that if a device is determined to have been infected with BlackLotus, it should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition.
- BlackLotus bootkit provides nation-state-level capabilities.
- Specific artifacts associated with BlackLotus can be identified by threat hunters.
- Artifacts include newly created bootloader files, modified registry keys, and generated Windows Event and Boot Configuration log entries.
- Error messages and a persistent outbound network connection on port 80 can also indicate an infection.
- Microsoft recommends removing the infected device from the network and reformatting it or restoring from a clean backup.