Objective

This lab is a walkthrough of Velociraptor UEFI visibility and simulation on how we would deploy capability to detect BlackLotus from a technical detection article.

1. Generic Velociraptor visibility from the Windows EFI API.
2. Install BlackLotus malware sample.
3. We will walk through several detection capabilities for BlackLotus style attacks that can be used at scale via Velociraptor.

Dependencies

VM with UEFI installed. I have also added a task below to walk through this process.

VM with internet access and Velociraptor available on the desktop to run as per Lab: GUI mode walk through.

Artifact Exchange content has been imported into your Velociraptor instance - Lab: GUI mode walk through

Take a snapshot of your VM to enable rollback : We are going to run malware and its much easier to simply roll back at the end of the lab.

Open cmd, browse to desktop and run: velociraptor .exe gui -–datastore=./VRdata -v

The Velociraptor GUI is configured to open automatically upon start, but the credentials are available below:

• URL: https://127.0.0.1:8889/
• Username: admin
• Password: password

Tasks

Enabling UEFI on your Virtual Machine

Walk through EFI API visibility

Install BlackLotus