66314d3b-bec0-4042-94f3-2744b5a337ee

bootmgfw.efi :inline

Description

This was provided by Microsoft and revoked May-23

  • UUID: 66314d3b-bec0-4042-94f3-2744b5a337ee
  • Created: 2023-05-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the Revoked Bootloader!

Commands

bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootmgfw.efi } }
Use CasePrivilegesOperating System
Persistence32-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://uefi.org/revocationlistfile
  • https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

    • CVE

  • Black Lotus Microsoft Windows 8.1

    • Known Vulnerable Samples

    PropertyValue
    Filenamebootmgfw.efi
    MD5e7ae8ab50eae0f2730780d6e87a165cc
    SHA1339702656fbb6e001e9a283dbd54567323f0332f
    SHA25688582f3cae30afd77990944709ac4e272d68cdc009d9c3ff6f7c2e19e74f5975
    Authentihash MD561dcd3b5b1b343f78cdba79267151107
    Authentihash SHA1f62b5d4321be185905a65037dfcdeb277a4f6169
    Authentihash SHA256490c927242cc6227ca439a7e9aa9d771ad4d1686eede1f331cbb6c69e9be746e
    RichPEHeaderHash MD576b472327057a88cd36ca28afc4c0e33
    RichPEHeaderHash SHA13111a9f1a2306b44b216f95d22c5d3780e200bb4
    RichPEHeaderHash SHA25699f483be10e4f3d7da9abe8eabdf67c61589c0ecec750aac0991666c9bc4e518
    CompanyMicrosoft Corporation
    DescriptionBoot Manager
    ProductMicrosoft® Windows® Operating System
    OriginalFilenamebootmgr.exe

    Certificates

    Expand
    Certificate 330000002418fc0b689e7399d0000000000024
    FieldValue
    ToBeSigned (TBS) MD528b23b39f3bbd936a26a5b86451be0ac
    ToBeSigned (TBS) SHA13b16f29295d5a7c323beb479c71d3d20c6b8acc2
    ToBeSigned (TBS) SHA2564383c9a796dc607ddaae1849d8e5d2e7ea211aad2c599fe1e251285ec87dd150
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows
    ValidFrom2013-06-17 21:43:38
    ValidTo2014-09-17 21:43:38
    Signature78269c4b43268afbc7329a21653fdf5427c51d156bd9b2be4fc3ce06c9fe486ad28fa1a55698acc8617733a5d9b68b3f69ab82d8d60857a0cf330434703b2af43b3058eec891f89515a9acf8c29aebdcabc8671630a1d22fa51720ab95393c388e3fbed2d42eca2bce4f3ac03be5be68ecfe7f44a6d3871782abd7cc3f8c22300536bd24a13934474bc0cfc2f1479991b991f328cb5a80d06c1046a9249b8dd8747b3c87e54946f28c0bdf14c042566264fbf9475859b221d0434603ab5f655551437be8eb21192f143d173b042f139ce553888cf0534f9d2f090c1edbf10def827a274afeeba10c2b4725b0628a2722d5f209be4f9e3d2d8104a896df82072d
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000002418fc0b689e7399d0000000000024
    Version3
    Certificate 61077656000000000008
    FieldValue
    ToBeSigned (TBS) MD530a3f0b64324ed7f465e7fc618cb69e7
    ToBeSigned (TBS) SHA1002de3561519b662c5e3f5faba1b92c403fb7c41
    ToBeSigned (TBS) SHA2564e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
    ValidFrom2011-10-19 18:41:42
    ValidTo2026-10-19 18:51:42
    Signature14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber61077656000000000008
    Version3

    Imports

    Expand

    Imports

    Expand

    ImportedFunctions

    Expand

    ExportedFunctions

    Expand

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000002418fc0b689e7399d0000000000024",
      "Signature": "78269c4b43268afbc7329a21653fdf5427c51d156bd9b2be4fc3ce06c9fe486ad28fa1a55698acc8617733a5d9b68b3f69ab82d8d60857a0cf330434703b2af43b3058eec891f89515a9acf8c29aebdcabc8671630a1d22fa51720ab95393c388e3fbed2d42eca2bce4f3ac03be5be68ecfe7f44a6d3871782abd7cc3f8c22300536bd24a13934474bc0cfc2f1479991b991f328cb5a80d06c1046a9249b8dd8747b3c87e54946f28c0bdf14c042566264fbf9475859b221d0434603ab5f655551437be8eb21192f143d173b042f139ce553888cf0534f9d2f090c1edbf10def827a274afeeba10c2b4725b0628a2722d5f209be4f9e3d2d8104a896df82072d",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
      "TBS": {
        "MD5": "28b23b39f3bbd936a26a5b86451be0ac",
        "SHA1": "3b16f29295d5a7c323beb479c71d3d20c6b8acc2",
        "SHA256": "4383c9a796dc607ddaae1849d8e5d2e7ea211aad2c599fe1e251285ec87dd150"
      },
      "ValidFrom": "2013-06-17 21:43:38",
      "ValidTo": "2014-09-17 21:43:38",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "61077656000000000008",
      "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
      "TBS": {
        "MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
        "SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
        "SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146"
      },
      "ValidFrom": "2011-10-19 18:41:42",
      "ValidTo": "2026-10-19 18:51:42",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
      "SerialNumber": "330000002418fc0b689e7399d0000000000024",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2023-08-31