0e36a4f3-efab-453c-b6db-fe4f613b79d8

bootmgfw.efi :inline

Description

This was provided by Microsoft and revoked May-23

  • UUID: 0e36a4f3-efab-453c-b6db-fe4f613b79d8
  • Created: 2023-05-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the Revoked Bootloader!

Commands

bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootmgfw.efi } }
Use CasePrivilegesOperating System
Persistence32-bit ARM

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://uefi.org/revocationlistfile
  • https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

    • CVE

  • Black Lotus Microsoft Windows 8.1

    • Known Vulnerable Samples

    PropertyValue
    Filenamebootmgfw.efi
    MD5c9b413ac0a31f9eb0a141e05654d1d52
    SHA170f682f3c63a4a1121c3c9afa78934aa2412c049
    SHA256ac22c4ad2e62a3a8369a311b69e9b3dd558359cb44de8115e6bef2ae5e5e7151
    Authentihash MD59e1d88b1165fafcc8d3ba103110c4843
    Authentihash SHA17ae4be62af6bbe64ea43e60462403334b278fff0
    Authentihash SHA256f923efa6615ce9a93e5d69963b30adb00f2d2059113f55babc477ba889841f29
    RichPEHeaderHash MD5bf2b2fa1725551a7b25c0d86164613a7
    RichPEHeaderHash SHA1c2527f2c2aa74dd913300d7868a0d042d10ed406
    RichPEHeaderHash SHA2563bc6dba2d4913666539154040f7a9b5b2d4bb1dda99810435b6db4dede407c03
    CompanyMicrosoft Corporation
    DescriptionBoot Manager
    ProductMicrosoft® Windows® Operating System
    OriginalFilenamebootmgr.exe

    Certificates

    Expand
    Certificate 330000001b40b3e1eae3b8c84600000000001b
    FieldValue
    ToBeSigned (TBS) MD52e3f888fadd3d8d498f3237752c18df9
    ToBeSigned (TBS) SHA14f3c14facbfca2505dddb77d8b8bfe71abb1d2ed
    ToBeSigned (TBS) SHA256574085e964e5d1fc9d71150ef08a0e08779e1919f28d75a19dad15f69571c8f6
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows
    ValidFrom2013-04-10 20:41:53
    ValidTo2014-07-10 20:41:53
    Signaturecbc341b6aa9c66039f4068be8e0a48a0e38ad5c22d4a6f33e6c39817378261c73b0ac8e800662cde2333f4a79c3b75b726b7aaefc55cb467374a3804a65dd3bcf318da3699a4951225e092422aa4bb08880db7d021c4b7883ccd2452884d6e00d6ec06e6055f30218dfc376e893fdf2b0174ba323e15e0d9e480862c7132f49666ab01c246edcb9e403752b15284de32fa501cbed5bba0e45c60635520155a623bbd1b14d47e4cb8c9b2114d41de618eb6fbb022303df44f93d5d6ba60a5edc24f31c0530da52ea1392985d95b01833392c7686abf5c318308b442b5055011dfd475058a740a741ef63482b84edf9758ccfa5f3472df9c7043ca60912102c15b
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000001b40b3e1eae3b8c84600000000001b
    Version3
    Certificate 61077656000000000008
    FieldValue
    ToBeSigned (TBS) MD530a3f0b64324ed7f465e7fc618cb69e7
    ToBeSigned (TBS) SHA1002de3561519b662c5e3f5faba1b92c403fb7c41
    ToBeSigned (TBS) SHA2564e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
    ValidFrom2011-10-19 18:41:42
    ValidTo2026-10-19 18:51:42
    Signature14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber61077656000000000008
    Version3

    Imports

    Expand

    Imports

    Expand

    ImportedFunctions

    Expand

    ExportedFunctions

    Expand

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000001b40b3e1eae3b8c84600000000001b",
      "Signature": "cbc341b6aa9c66039f4068be8e0a48a0e38ad5c22d4a6f33e6c39817378261c73b0ac8e800662cde2333f4a79c3b75b726b7aaefc55cb467374a3804a65dd3bcf318da3699a4951225e092422aa4bb08880db7d021c4b7883ccd2452884d6e00d6ec06e6055f30218dfc376e893fdf2b0174ba323e15e0d9e480862c7132f49666ab01c246edcb9e403752b15284de32fa501cbed5bba0e45c60635520155a623bbd1b14d47e4cb8c9b2114d41de618eb6fbb022303df44f93d5d6ba60a5edc24f31c0530da52ea1392985d95b01833392c7686abf5c318308b442b5055011dfd475058a740a741ef63482b84edf9758ccfa5f3472df9c7043ca60912102c15b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
      "TBS": {
        "MD5": "2e3f888fadd3d8d498f3237752c18df9",
        "SHA1": "4f3c14facbfca2505dddb77d8b8bfe71abb1d2ed",
        "SHA256": "574085e964e5d1fc9d71150ef08a0e08779e1919f28d75a19dad15f69571c8f6"
      },
      "ValidFrom": "2013-04-10 20:41:53",
      "ValidTo": "2014-07-10 20:41:53",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "61077656000000000008",
      "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
      "TBS": {
        "MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
        "SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
        "SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146"
      },
      "ValidFrom": "2011-10-19 18:41:42",
      "ValidTo": "2026-10-19 18:51:42",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
      "SerialNumber": "330000001b40b3e1eae3b8c84600000000001b",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2023-08-31