UEFI Persistence via WPBBIN – Detection & Response

0

Security researcher 0gtweet has documented the Unified Extensible Firmware Interface can be used for persistence and it bypasses BitLocker protection if you rely on TPM without a PIN.


What is Windows Platform Binary Table?

Windows Platform Binary Table (WPBT) is an ACPI table in your firmware allowing your computer vendor to run a program every time Windows (8 or later) boots. 

This is a convenient method for computer vendors to force the installation of a service program or an anti-theft software, but this also means your fresh installed Windows will have potentially unwanted 3rd party programs running straight on the first boot, and you, the end user, would have no control over it. 

Also, firmware is not updated as frequently as your OS or software, which means if there is a security vulnerability in the WPBT-loaded program, a fair number of users might never get the update.

A lot PC vendors (Lenovo, ASUS, Huawei, etc.) are known to utilize WPBT table to run their own programs on the consumer’s computer.

What is TPM ?

Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. 

On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:

  • TPM-only. Using TPM-only validation doesn’t require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

  • TPM with startup key. In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can’t be accessed without the startup key.
  • TPM with PIN. In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can’t be accessed without entering the PIN. TPMs also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN.
  • TPM with startup key and PIN. In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can’t be used for access to the drive because the correct PIN is also required.

Detection & Response:

False-positive criteria: PC vendors (Lenovo, ASUS, Huawei, etc.) are known to utilize the WPBT tables to run their own programs on the consumer’s computer.

Splunk:

source="WinEventLog:*" AND ((TargetFilename="*wpbbin.exe") OR Image="*\\wpbbin.exe")

Qradar:

SELECT UTF8(payload) from events where (LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (CATEGORYNAME(category) ILIKE 'File Created' or CATEGORYNAME(category) ILIKE 'Successful File Modification')) and (("TargetFilename" ilike '%wpbbin.exe') or "Image" ilike '%\wpbbin.exe')

Elastic Query:

(file.path:*wpbbin.exe OR process.executable:*\\wpbbin.exe)

CarbonBlack:

(filemod_name:*wpbbin.exe OR process_name:*\\wpbbin.exe)

Fireeye:

(metaclass:`windows` (filepath:`*wpbbin.exe` OR process:`*\wpbbin.exe`))

Google Chronicle:

(target.file.full_path = /.*wpbbin\.exe$/ or target.process.file.full_path = /.*\\wpbbin\.exe$/)

GrayLog:

(TargetFilename.keyword:*wpbbin.exe OR Image.keyword:*\\wpbbin.exe)

Logpoint:

(TargetFilename IN "*wpbbin.exe" OR Image="*\\wpbbin.exe")

Microsoft Defender:

DeviceFileEvents | where ((FolderPath endswith "wpbbin.exe") or InitiatingProcessFolderPath endswith @"\wpbbin.exe")

Microsoft Sentinel:

SysmonEvent |  where EventID == 11 | where ((TargetFilename endswith 'wpbbin.exe') or NewProcessName endswith @'\wpbbin.exe')

RSA Netwitness:

((TargetFilename contains 'wpbbin\.exe') || (Image contains 'wpbbin.exe'))

SumoLogic:

(_sourceCategory=*windows* AND ((("wpbbin.exe") OR Image="*\wpbbin.exe")))

Source/References:

ht://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures

hs://persistence-info.github.io/Data/wpbbin.html

htts://github.com/Jamesits/dropWPBT


Previous articleShodan filters to Hunt Adversaries Infrastructure and C2
Next articleRussia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here