A standalone python script leveraging ntdll for UEFI variable enumeration. This uses elements from the "chipsec" toolkit for formatting when extracting NVRAM buffer from the ntdll library function and underlying runtime service. This is working on Windows 7 - 10 in testing.
- UEFI Variable enumeration script (Python) - REQUIRES pypiwin32 lib
- UEFI Read/Write API function call template for powershell integration (Powershell)
- Standalone Powershell POC script for installation and execution of malicious payload via UEFI variable injection
Research into this stemmed from the presesntation at DEFCON 27 by Michael Leibowitx and Toper Timzen that highlighted UEFI variables as a place for attackers to hide their persisten payloads from EDR solutions and security analysts.
My work aimed at simplifying their attack method to make the user of this isolated data repo available to both coders/researchers and the less experienced red teamer. To that end I aimed to create a simple scripting method for variable injection. By examining their code base the APi functions and library files related were all present and easy to translate to a one line script code. Further examination showed that some of the more technical elements of the translation, namely the API calling and session token manipulation, had already been addressed in a custom module created by Michael Niehaus available online. By either integrating the module or splicing the modules code into a script an attacker can readily perform activityies that replciated that observed in the C# code of the previous research.
My other core objective was to devise a detection/monitoring method for UEFI variables during runtime for AV/EDR agents as well as security analysts potentially working remotely. To this end, a runtime access and enumeration of the UEFI variables would be essential as the read operations outlined in the offense methods only work if the specific GUID and variable ID are provided. However, there is no standard or readily available method to enumerate this memory space at runtime (with one exception). Therefore, if an attacker uses a custom variable name and an unusual GUID (or even a standard one) a security agent would be unable to extract or remove the malicious data within the variable. The only standard method to enumerate UEFI variabels is through an EFI shell, this required a reboot, custom boot load media and knowledge of the EFI shell interface which most people do not have experience with.
The exception mentioned above is "Chipsec", a firmware enumeration and security audit tool developed by Intel. This tool is able to enumerate and list UEFI variables at runtime and was used in the DEFCON 27 presentation to prove their techniques worked. The tool, although powerful, has caveats in that it is big and clunky requiring the disable of multiple security features in order to operate as well as the installation of a custom Kernel driver. Examination of the tool however revealed an alternative method of enumeration, available to Windows version 7 and above.
The key to runtime enumeration is an undocumented API function within the ntdll.dll library file "NtEnumerateSystemEnvironmentValuesEx". This function allows the NVRAM variable data blob to be extracted and then carved via a known variable data objecte header to extract all the assigned variables including their ID, attributes and stored data. This is what my enumeration script works on, and as such will work on any Windows Version 7 and above with an ntdll.dll library present (which should be all of them).
https://drive.google.com/file/d/1nwLwdg7xzI1mjFskAePs6LqHwPyVR6mD/view?usp=sharing