1387dafb-6dad-48b4-a186-98e52cac74b7

HfiPcieGen3 :inline

Description

This was provided by Intel Corporation and revoked Jul-20

  • UUID: 1387dafb-6dad-48b4-a186-98e52cac74b7
  • Created: 2023-05-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the Revoked Bootloader!

Commands

bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\HfiPcieGen3 } }
Use CasePrivilegesOperating System
Persistence64-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://uefi.org/revocationlistfile
  • https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

  • CVE

  • CVE-2020-10713
  • CVE-2020-14308
  • CVE-2020-14309
  • CVE-2020-14310
  • CVE-2020-14311
  • CVE-2020-15705
  • CVE-2020-15706
  • CVE-2020-15707
  • Known Vulnerable Samples

    PropertyValue
    FilenameHfiPcieGen3
    MD536218d733c0afdd2d6dce6f616335a2f
    SHA196787a55f640b630ba6277197dbdfd14ecf3b87d
    SHA2560ed1b0fae1a6e705d1b116d08b7184e0a2ee2a0e6b0c372ce69b40e9ef34579f
    Authentihash MD54dcaca83effd9b0a6fd63f766d4ec969
    Authentihash SHA1bd9fc7d7672f8c70045b2fc6f9029064f1030763
    Authentihash SHA2565890fa227121c76d90ed9e63c87e3a6533eea0f6f0a1a23f1fc445139bc6bcdf
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Certificates

    Expand
    Certificate 3300000024c1fb0e65d9747386000100000024
    FieldValue
    ToBeSigned (TBS) MD582b02850f57505f0830f6dd30b6aeffd
    ToBeSigned (TBS) SHA1e600e0efe4030190c5e0cab9aaad72f4e76db429
    ToBeSigned (TBS) SHA2561c1d5edaeb9a5feef85e34eb40607816e98464127723d284f99b69c0c15e42f7
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows UEFI Driver Publisher
    ValidFrom2017-08-11 20:20:00
    ValidTo2018-08-11 20:20:00
    Signature47f27d2f6c0691c8e54b4403f9ec6c6b4423a43467cca7e8cf8afe60457f3b5703cde9d840ac3dd35567d791af1d1146376ba1fba9a8a502b5c9601232f24349ca5c324d1806150540cc5823d7dd777b3166268a26734c21b32862e300c8ca42856ec161633c1a076f4213c4c2a63e2ffd0ee16a301ae0c6dba732bc500a5986742520022ce33746f96c4ea8641b2a68a902872a41a8e6701e96158ab91c54c6695bc736fa047ec57b40d732abeb61e34414454e6702ef7bc5518a0d77ab42ed5efc23b01683b5c3c95c4aeb564b6f76cdae4d2e33ac59fca4cfdeb4c215549e1f43b64fd3eb9ba35171be9dab9375a1a94107dd4f95bbf88e9c239136619e20
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber3300000024c1fb0e65d9747386000100000024
    Version3
    Certificate 6108d3c4000000000004
    FieldValue
    ToBeSigned (TBS) MD51f23e75a000f0b6db92650dc26ac98e1
    ToBeSigned (TBS) SHA1bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d
    ToBeSigned (TBS) SHA2569589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
    ValidFrom2011-06-27 21:22:45
    ValidTo2026-06-27 21:32:45
    Signature350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber6108d3c4000000000004
    Version3

    Imports

    Expand

    Imports

    Expand

    ImportedFunctions

    Expand

    ExportedFunctions

    Expand

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "3300000024c1fb0e65d9747386000100000024",
          "Signature": "47f27d2f6c0691c8e54b4403f9ec6c6b4423a43467cca7e8cf8afe60457f3b5703cde9d840ac3dd35567d791af1d1146376ba1fba9a8a502b5c9601232f24349ca5c324d1806150540cc5823d7dd777b3166268a26734c21b32862e300c8ca42856ec161633c1a076f4213c4c2a63e2ffd0ee16a301ae0c6dba732bc500a5986742520022ce33746f96c4ea8641b2a68a902872a41a8e6701e96158ab91c54c6695bc736fa047ec57b40d732abeb61e34414454e6702ef7bc5518a0d77ab42ed5efc23b01683b5c3c95c4aeb564b6f76cdae4d2e33ac59fca4cfdeb4c215549e1f43b64fd3eb9ba35171be9dab9375a1a94107dd4f95bbf88e9c239136619e20",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows UEFI Driver Publisher",
          "TBS": {
            "MD5": "82b02850f57505f0830f6dd30b6aeffd",
            "SHA1": "e600e0efe4030190c5e0cab9aaad72f4e76db429",
            "SHA256": "1c1d5edaeb9a5feef85e34eb40607816e98464127723d284f99b69c0c15e42f7"
          },
          "ValidFrom": "2017-08-11 20:20:00",
          "ValidTo": "2018-08-11 20:20:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "6108d3c4000000000004",
          "Signature": "350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
          "TBS": {
            "MD5": "1f23e75a000f0b6db92650dc26ac98e1",
            "SHA1": "bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d",
            "SHA256": "9589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2"
          },
          "ValidFrom": "2011-06-27 21:22:45",
          "ValidTo": "2026-06-27 21:32:45",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
          "SerialNumber": "3300000024c1fb0e65d9747386000100000024",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2023-08-31