0

Since there are quite a few exploits of Intel ME firmware in the CPU (same applies to AMD), I would like to know what SIEM solutions are there for detecting these kinds of attacks.

To be more exact, I would like to know how to detect known exploits and known implants, but optionally would like to detect zero days and novel implant software if possible.

Improve this question
2
  • What do you mean by "attack"? Are you looking for indicators of compromise or are you looking to detect the initial exploit and delivery of the implant? Are you satisfied with only looking for known exploits and known implants, or do you also want to detect 0-days and novel implant software?
    – RibaldEddie
    Commented Jan 19, 2023 at 20:03
  • @RibaldEddie good point, edited the question
    – Sir Muffington
    Commented Jan 19, 2023 at 21:09

2 Answers 2

Reset to default
1

These would be architectural attacks which can be undetectable using software.

In practice, the exploit has to emulate an exploit-free system perfectly, which is hard.

Some ideas:

  • SMM mode rootkit can be detected by timing execution from a remote host
  • The TPM can implement remote attestation that verifies the contents/state of the firmware
  • Out-of-band management chip can snoop the system buses and verify critical system memory has not been altered

There are commercial solutions doing some of these, but they won't be work-out-of-the-box/non-intrusive. Some sysadmin work is required.

Improve this answer
2
  • Isn't SMM mode only for the old x86 architecture or did it get ported to amd64 too? TPM is a black box proprietary system, I don't know whether you can trust it... Can you elaborate on the third point?
    – Sir Muffington
    Commented Jan 20, 2023 at 18:31
  • AMD64 still have it; otherwise, the firmware cannot safely set up protected data structures and handle platform-specific interrupts without interfering with the OS. (You might be thinking about IA64/Itanium, which has a different mode to the same effect.)
    – billc.cn
    Commented Jan 20, 2023 at 22:08
1

Sniff SPI or compare BIOS with a known good one. Analyze the BIOS dump in case something seems fishy. Since you also tagged "defense": Provided you have a known good BIOS ensure that it can't be overwritten at all.

Improve this answer
2
  • Can you elaborate on how that exactly would work? Shouldn't you sniff the CPU bus then?..
    – Sir Muffington
    Commented Jan 20, 2023 at 18:30
  • This is for knowing something goes on on your SPI/BIOS chip. Code for ME lives on the SPI chip and can be part of BIOS updates. en.wikipedia.org/wiki/Intel_Management_Engine#Design
    – secfren
    Commented Jan 20, 2023 at 19:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .