Unpatched NTFS Zero-Day in Windows 10 Damages Hard Drive with a Single File View

The information security analyst Jonas L has discovered an alarming bug in Windows 10 that might corrupt any hard drive (HD) relying on the NTFS formatting. A zero-day flaw remains unpatched despite the researcher has pointed up to it since autumn 2020.

NTFS Vulnerability Analysis

The NTFS zero-day vulnerability exists in Windows 10 build 1803, the Windows 10 April 2018 Update, and it is still applicable within the last OS version. The flaw might be exploited by a user without any admin rights on the system, making the bug critical.

According to the researchers’ NTFS vulnerability description, the zero-day might be triggered via a one-line command. Furthermore, opening a file or simply viewing a specially-formatted icon could result in HD damage. Particularly, the bug is tied to the “$i30” Windows NTFS Index Attribute. Once a user runs the command with the “$i30” NTFS attribute, the system immediately corrupts the hard drive and urges the user to launch a restart required to fix the trashed storage unit. However, frequently the damaged files are hard to recover, and the disk’s master file table (MFT) remains damaged as well.

NTFS Zero-Day Exploitation

The vulnerability presumes multiple methods of exploitation. For example, threat actors might deliver malicious NTFS index attribute commands via Windows shortcuts, ZIP archives, or big batches of legitimate files. The flaw is exploitable even in case the user doesn’t double-click the file but only opens the folder it is located in. Therefore, the most complicated task in the attack routine is to deliver the Windows shortcut file to the system. Threat actors only need to produce a convincing lure that prompts users to extract a ZIP archive or load a bundle of files.

NTFS Vulnerability Detection and Mitigation

SOC Prime’s team of threat hunting engineers has developed a proof-of-concept (PoC) exploit for this NTFS zero-day and released a Sigma rule for proactive detection. You can download the content item from our Threat Detection Marketplace and stay safe while waiting for the official patch: 

https://tdm.socprime.com/tdm/info/kJwEoozBjpwh/O89OAXcBTwmKwLA90ARl/

To enhance the detection of this nasty NTFS flaw, check fresh SOC content released by our Threat Bounty developer Furkan Celik  on January 22, 2021:

https://tdm.socprime.com/tdm/info/aRQYhKyh9X9W/sKecKncBR-lx4sDx-iqM/

The rules have translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio.

EDR: Microsoft Defender ATP, Carbon Black

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Destruction (T1485)

We will continuously update this blog post with the information related to the official patch, possible mitigations from the vendor, and additional detection rules from our team. 

Get a free subscription to the Threat Detection Marketplace to reach more curated SOC content for proactive attack detection. Feel ready to craft your own Sigma rules, be welcome to join the Threat Bounty Program to enhance our threat hunting initiatives.