blockedlist format unclear, newer findings missing #1830
Comments
|
The logic is that any criteria listed in the bracket is treated as an AND. To flag a match, all criteria have to match. Name, GUID, hash, etc. The downside is if you're off on one, the tool won't flag it. Sometimes less is more but the ability is there to refine the search. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The blockedlist
chipsec/modules/tools/uefi/blockedlist.jsonis a JSON file.Looking at it, the structure is unclear; compare the following:
{ "HT_UEFI_Rootkit": { "description": "HackingTeam UEFI Rootkit (https://www.mcafee.com/enterprise/en-us/threat-center/advanced-threat-research/uefi-rootkit.html)", "match": { "rkloader" : { "guid": "F50258A9-2F4D-4DA9-861E-BDA84D07A44C" }, "rkloader_name" : { "name": "rkloader" }, "Ntfs" : { "guid": "F50248A9-2F4D-4DE9-86AE-BDA84D07A41C" }, "app" : { "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0B" } } } }and
{ "MR_UEFI_Rootkit": { "description": "MosaicRegressor UEFI Rootkit (https://securelist.com/mosaicregressor/98849/)", "match": { "SmmInterfaceBase" : { "name": "SmmInterfaceBase", "guid": "F50258A9-2F4D-4DA9-861E-BDA84D07A44C" }, "Ntfs" : { "name": "Ntfs", "guid": "F50248A9-2F4D-4DE9-86AE-BDA84D07A41C" }, "SmmReset" : { "name": "SmmReset", "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0C" }, "SmmAccessSub" : { "name": "SmmAccessSub", "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0B" } } } }Suggestion: Always have both
nameandguidin every entry undermatch. That makes the structure uniform.Originally, I just wanted to add Black Lotus:
https://github.com/binarly-io/FwHunt/blob/main/rules/Threats/BlackLotusBootkit.yml
There are some more known malicious binaries that should be added; see the
Threatsdirectory in Binarly's repository.The text was updated successfully, but these errors were encountered: