I have dual boot Windows 11 Home Edition and Debian based setup on my laptop.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2024.1
Codename: kali-rolling
After realizing a security breach on my Kali system I discovered
/etc/network/interface
had the immutable attribute set while trying to restrict access using chmod. I
decided to
investigate other files on my system with the immutable attribute set by
running this
command as root:
# find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt
This led me the directory /sys/firmware/efi/efivars/ where I discovered efi
variables
pertaining Microsoft's Device Firmware Configuration Interface (DFCI).
Microsoft's
DFCI enables zero touch remote configuration of UEFI BIOS giving the ability to
manage BIOS settings and hardware. The DFCI allows for remote disabling or
enabling
of cameras, microphones, radios, boot external media, bootstrapping an OS, cpu
virtualization, and I/O virtualization. According to Microsoft's github page,
the zero
touch certificate is shared by all DFCI-enabled systems and does not need to be
injected
at manufacturing.
Microsoft advertises DFCI as a defense mechanism against rootkits, however it
seems that it
is being used as a UEFI bootkit. According to Microsoft DFCI is not available
for Windows 10
or 11 Home Edition. My Acer Aspire 3 15 has Windows 11 Home Edition, and was
purchased
as a consumer product versus a commercial. This means that not only is there a
capability that
DFCI can be implemented on a consumer product, but through a Linux based
operating system.
I will provide the ASCII output of each file that I found on my Kali Linux
system from the
/sys/firmware/efi/efivars/ directory. I will not provide the entire hexdump
output to save space.
However, I will provide more if requested after my initial posting.
File Name: DfciDeviceIdentifier-4123a1a9-6f50-4b58-9c3d-56fc24c6c89e
ASCII output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><UEFID|
|eviceIdentifierP|
|acket><Identifie|
|rs><Identifier><|
|Id>Manufacturer<|
|/Id><Value>Acer<|
|/Value></Identif|
|ier><Identifier>|
|<Id>Product Name|
|</Id><Value>Aspi|
|re A315-44P</Val|
|ue></Identifier>|
|<Identifier><Id>|
|Serial Number</I|
|d><Value>NXKSJAA|
|0044050439E3400<|
|/Value></Identif|
|ier></Identifier|
|s><DfciVersion>2|
|</DfciVersion></|
|UEFIDeviceIdenti|
|fierPacket>.|
File Name: DfciIdentityCurrent-de6a8726-05df-43ce-b600-92bd5d286cfd
(NOTE: something that stood out to me is the
Zero Touch ID: 0989C5F7EA3379388F79990875B23E031A5DA554)
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><UEFII|
|dentityCurrentPa|
|cket><Certificat|
|es><Certificate>|
|<Id>User</Id><Va|
|lue>Cert not ins|
|talled</Value></|
|Certificate><Cer|
|tificate><Id>Use|
|r1</Id><Value>Ce|
|rt not installed|
|</Value></Certif|
|icate><Certifica|
|te><Id>User2</Id|
|><Value>Cert not|
| installed</Valu|
|e></Certificate>|
|<Certificate><Id|
|>Owner</Id><Valu|
|e>Cert not insta|
|lled</Value></Ce|
|rtificate><Certi|
|ficate><Id>ZeroT|
|ouch</Id><Value>|
|0989C5F7EA337938|
|8F79990875B23E03|
|1A5DA554</Value>|
|</Certificate></|
|Certificates></U|
|EFIIdentityCurre|
|ntPacket>.|
File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntPermissionsPac|
|ket Default="1" |
|Delegated="128">|
|<Date>2024-01-30|
|T13:51:08</Date>|
|<Permissions><Pe|
|rmissionCurrent>|
|<Id>Dfci.OwnerKe|
|y.Enum</Id><PMas|
|k>9</PMask><DMas|
|k>128</DMask></P|
|ermissionCurrent|
|><PermissionCurr|
|ent><Id>Dfci.Ztd|
|Key.Enum</Id><PM|
|ask>1</PMask></P|
|ermissionCurrent|
|><PermissionCurr|
|ent><Id>Dfci.Ztd|
|Unenroll.Enable<|
|/Id><PMask>0</PM|
|ask></Permission|
|Current><Permiss|
|ionCurrent><Id>D|
|fci.Ztd.Recovery|
|.Enable</Id><PMa|
|sk>0</PMask></Pe|
|rmissionCurrent>|
|</Permissions><L|
|SV>0</LSV></Curr|
|entPermissionsPa|
|cket>.|
File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntSettingsPacket|
|><Date>2024-01-3|
|0T13:51:34</Date|
|><Settings><Sett|
|ingCurrent><Id>D|
|evice.BootOrderL|
|ock.Enable</Id><|
|Value>Disabled</|
|Value></SettingC|
|urrent><SettingC|
|urrent><Id>Devic|
|e.USBBoot.Enable|
|</Id><Value>Enab|
|led</Value></Set|
|tingCurrent><Set|
|tingCurrent><Id>|
|Dfci.BootOnboard|
|Network.Enable</|
|Id><Value>Disabl|
|ed</Value></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|evice.Password.P|
|assword</Id><Val|
|ue>No System Pas|
|sword</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Dfci.RecoveryU|
|rl.String</Id><V|
|alue /></Setting|
|Current><Setting|
|Current><Id>Dfci|
|.RecoveryBootstr|
|apUrl.String</Id|
|><Value /></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|fci.HttpsCert.Bi|
|nary</Id><Value |
|/></SettingCurre|
|nt><SettingCurre|
|nt><Id>Dfci.Regi|
|strationId.Strin|
|g</Id><Value /><|
|/SettingCurrent>|
|<SettingCurrent>|
|<Id>Dfci.TenantI|
|d.String</Id><Va|
|lue /></SettingC|
|urrent><SettingC|
|urrent><Id>MDM.F|
|riendlyName.Stri|
|ng</Id><Value />|
|</SettingCurrent|
|><SettingCurrent|
|><Id>MDM.TenantN|
|ame.String</Id><|
|Value /></Settin|
|gCurrent><Settin|
|gCurrent><Id>Dev|
|ice.CpuAndIoVirt|
|ualization.Enabl|
|e</Id><Value>Ena|
|bled</Value></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci3.OnboardWp|
|bt.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci3.A|
|ssetTag.String</|
|Id><Value /></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci.OnboardAud|
|io.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.On|
|boardRadios.Enab|
|le</Id><Value>En|
|abled</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Device.IRCamer|
|a.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Device.|
|FrontCamera.Enab|
|le</Id><Value>Di|
|sabled</Value></|
|SettingCurrent><|
*
|Id>Device.RearCa|
|mera.Enable</Id>|
|<Value>Disabled<|
|/Value></Setting|
|Current><Setting|
|Current><Id>Dfci|
|3.ProcessorSMT.E|
|nable</Id><Value|
|>Disabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.CpuAn|
|dIoVirtualizatio|
|n.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.Bo|
|otExternalMedia.|
|Enable</Id><Valu|
|e>Enabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.Onboa|
|rdCameras.Enable|
|</Id><Value>Unkn|
|own</Value></Set|
|tingCurrent></Se|
|ttings><LSV>0</L|
|SV></CurrentSett|
|ingsPacket>.|
File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntSettingsPacket|
|><Date>2024-01-3|
|0T13:51:34</Date|
|><Settings><Sett|
|ingCurrent><Id>D|
|evice.BootOrderL|
|ock.Enable</Id><|
|Value>Disabled</|
|Value></SettingC|
|urrent><SettingC|
|urrent><Id>Devic|
|e.USBBoot.Enable|
|</Id><Value>Enab|
|led</Value></Set|
|tingCurrent><Set|
|tingCurrent><Id>|
|Dfci.BootOnboard|
|Network.Enable</|
|Id><Value>Disabl|
|ed</Value></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|evice.Password.P|
|assword</Id><Val|
|ue>No System Pas|
|sword</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Dfci.RecoveryU|
|rl.String</Id><V|
|alue /></Setting|
|Current><Setting|
|Current><Id>Dfci|
|.RecoveryBootstr|
|apUrl.String</Id|
|><Value /></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|fci.HttpsCert.Bi|
|nary</Id><Value |
|/></SettingCurre|
|nt><SettingCurre|
|nt><Id>Dfci.Regi|
|strationId.Strin|
|g</Id><Value /><|
|/SettingCurrent>|
|<SettingCurrent>|
|<Id>Dfci.TenantI|
|d.String</Id><Va|
|lue /></SettingC|
|urrent><SettingC|
|urrent><Id>MDM.F|
|riendlyName.Stri|
|ng</Id><Value />|
|</SettingCurrent|
|><SettingCurrent|
|><Id>MDM.TenantN|
|ame.String</Id><|
|Value /></Settin|
|gCurrent><Settin|
|gCurrent><Id>Dev|
|ice.CpuAndIoVirt|
|ualization.Enabl|
|e</Id><Value>Ena|
|bled</Value></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci3.OnboardWp|
|bt.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci3.A|
|ssetTag.String</|
|Id><Value /></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci.OnboardAud|
|io.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.On|
|boardRadios.Enab|
|le</Id><Value>En|
|abled</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Device.IRCamer|
|a.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Device.|
|FrontCamera.Enab|
|le</Id><Value>Di|
|sabled</Value></|
|SettingCurrent><|
*
|Id>Device.RearCa|
|mera.Enable</Id>|
|<Value>Disabled<|
|/Value></Setting|
|Current><Setting|
|Current><Id>Dfci|
|3.ProcessorSMT.E|
|nable</Id><Value|
|>Disabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.CpuAn|
|dIoVirtualizatio|
|n.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.Bo|
|otExternalMedia.|
|Enable</Id><Valu|
|e>Enabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.Onboa|
|rdCameras.Enable|
|</Id><Value>Unkn|
|own</Value></Set|
|tingCurrent></Se|
|ttings><LSV>0</L|
|SV></CurrentSett|
|ingsPacket>.|
I did discover loop devices on my system that I could not remove with the
losetup command. I had to manually remove them with the rm -f command from
the /dev/disks directory. Also, I ran the lsof command, which helped me
discover
the type of file systems that were being used. This prompted me to use apt
purge
to remove Gnome Virtual File System from my laptop.
# lsof /dev/loop*
I received this in response:
can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
can't stat() fuse.portal file system /run/user/1000/doc
This should be enough to give others places to look to determine if they have
been
infected, however I will be more than happy to provide more if needed.
Sources:
https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/
https://learn.microsoft.com/en-us/windows/client-management/mdm/uefi-csp
