1 Rookie
•
2 Posts
0
162
[Precision 3660 BIOS Attack] Dell Trusted Device | BIOS Events and IoA
After installing "Trusted Device Agent v6.1.2.0" to Dell, I looked at the Dell Trusted Device Dashboard to see the following:
After clicking into the IoA for BIOS, I see the following:
I started looking through Event Viewer and saw the following (the day after I'd done a complete re-install of Windows by direction of Dell support while troubleshooting a separate issue.)
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 11
Task Category: (3)
Level: Warning
-----------------
A partial Indicator of Attack was detected (Category: Remote Attack) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
PLDM_CapsuleFirmwareUpdate enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 11
Task Category: (3)
Level: Warning
-----------------
A partial Indicator of Attack was detected (Category: Remote Attack) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
PLDM_CapsuleFirmwareUpdate enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 11
Task Category: (3)
Level: Warning
-----------------
A partial Indicator of Attack was detected (Category: Remote Attack) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
PLDM_CapsuleFirmwareUpdate enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 11
Task Category: (3)
Level: Warning
-----------------
A partial Indicator of Attack was detected (Category: Remote Attack) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
PLDM_CapsuleFirmwareUpdate enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 12
Task Category: (3)
Level: Error
-----------------
An Indicator of Attack was detected (Category: BIOS Update) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 11
Task Category: (3)
Level: Warning
-----------------
A partial Indicator of Attack was detected (Category: BIOS Update) based on the following events:
PLDM_AllowBiosDowngrade enabled, 12/30/2023 8:00:59
PLDM_CapsuleFirmwareUpdate enabled, 12/30/2023 8:00:59
-----------------
Log Name: System
Source: Dell Trusted Device | BIOS Events and IoA
Date: 12/30/2023 8:01:05 AM
Event ID: 12
Task Category: (3)
Level: Error
-----------------
An Indicator of Attack was detected (Category: Authentication Tampering) based on the following events:
PLDM_StrongPassword disabled, 12/30/2023 8:00:59
Can someone help me here ... I feel as though I've been compromised for coming on three months. I entered my BIOS this morning and set an Admin, System, and SSD Password. I also restored the BIOS settings to Factory Defaults. However, the warnings on The Dell Trusted Device Dashboard have persisted.
SteveO1683
Moderator
Moderator
•
146 Posts
0
April 23rd, 2024 20:54
Hey @JakeOnDell,
Thanks for the informative post. From the data you provided Dell Trusted Device is reporting two settings in the BIOS are enabled that can increase your risk.
To remove the warning message, please toggle the setting to OFF in the BIOS. Then wait approximately 15 minutes for a security assessment to run after logging into Windows.
The following Dell KB article can also help identify some of the IoA telemetry Dell Trusted Device surfaces and shows you what BIOS settings maybe contributing to that alert.
Dell Trusted Device Security Score Overview in the TechDirect Console
#IWork4Dell
(edited)