Analytics Story: Windows BootKits

Description

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Why it matters

A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows BootLoader Inventory System Firmware, Pre-OS Boot Hunting
Windows Registry BootExecute Modification Pre-OS Boot, Registry Run Keys / Startup Folder TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1