Home / About / Threat Intelligence / Security Researchers Demonstrate a New Technique for Windows Persistence

Overview

Details have been released about an exploit for Windows systems that could make it easier to install a rootkit on the operating system. The Windows Platform Binary Table (WPBT) is intended to allow device manufacturers to include drivers at boot time. Microsoft requires that these drivers be signed, but security researchers have found that the OS does not check for expired or revoked signing certificates.

This rootkit can be installed by code running on the machine or by a peripheral or component with Direct Memory Access (DMA). This could be via an internal component that uses PCIe or an external device, such as a Thunderbolt or USB4.0 based display adapter.

The code runs from c:\windows\system32 and is not restricted by BitLocker, as a pre-OS boot attack would be.

Impact

An attacker who is able to run code on a Windows machine may be able to have their process run at boot time with kernel level access for long term persistence.

Vulnerability Detection

This affects all current versions of Windows since Windows 8 when WPBT was introduced (October 2012). There is no patch at this time.

Containment, Mitigations & Remediations

There’s no official way to disable WPBT.

Microsoft recommends customers use Windows Defender Application Control (WDAC) to limit what is allowed to run on their devices. WDAC policy is also enforced for binaries included in the WPBT and should mitigate this issue. We recommend customers implement a WDAC policy that is as restrictive as practical for their environment. You can find documentation on WDAC – https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview

Indicators of Compromise

No known exploitation in the wild.

Threat Landscape

BIOS/Firmware attacks have historically been high effort for low reward as differences in hardware required them to be extremely targeted. The move to standardised UEFI based systems made their development easier but added controls that needed to be bypassed to install them.

This new attack means that UEFI bypasses are no longer needed as the code is installed on the disk as part of the operating system.

Mitre Methodologies

T1547 – Boot or Logon Autostart Execution

Further Information

Everyone Gets A Rootkit