Microsoft is expanding the protection capabilities of the Microsoft Defender Advanced Threat Protect (ATP) to the firmware level by introducing new UEFI scanner.
UEFI stands for Unified Extensible Firmware Interface (developed by Intel) and defines a software interface between the operating system and the firmware.
It is a feature rich system than the traditional BIOS and overcomes many of its limitations such as proper GUI support, and remote diagnostics etc.
With rising hardware and firmware attacks, Windows Defender System Guard helps organizations defend against firmware attacks by providing hardware-backed security features like hypervisor-level attestation and Secure Launch,
The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.
How the UEFI scanner in Microsoft Defender ATP works
The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:
- UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
- Full filesystem scanner, which analyzes content inside the firmware
- Detection engine, which identifies exploits and malicious behaviors
Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history.
Figure 1. Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)
Microsoft Defender ATP customers will also see these detections raised as alerts in Microsoft Defender Security Center, empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.
Figure 2. Microsoft Defender ATP alert for detection of malicious code in firmware
Security operations teams can also use the advanced hunting capabilities in Microsoft Defender ATP to hunt for these threats:
DeviceEvents | where ActionType == "AntivirusDetection" | extend ParsedFields=parse_json(AdditionalFields) | extend ThreatName=tostring(ParsedFields.ThreatName) | where ThreatName contains_cs "UEFI" | project ThreatName=tostring(ParsedFields.ThreatName), FileName, SHA1, DeviceName, Timestamp | limit 100
To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender Security Center for investigation.
Figure 3. Microsoft Defender ATP alert for possible malware implant in UEFI file system
These events can likewise be queried through advanced hunting:
DeviceAlertEvents | where Title has "UEFI" | summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d) | limit 100
To learn more about how the UEFI scanner was built, please head to this page for details