Boot Configuration Database (BCD) Manipulation - Registry Modification
Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)
Sigma rule (View on GitHub)
1title: Boot Configuration Database (BCD) Manipulation - Registry Modification
2id: 99a9fbb6-62bf-4cb7-8406-a363bc14cbf3
3status: experimental
4description: Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)
5references:
6 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
7 - https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/
8author: Micah Babinski
9date: 2022/11/22
10tags:
11 - attack.impact
12 - attack.t1490
13 - attack.g0092
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection_1:
19 EventType: 'SetValue'
20 TargetObject|contains: 'elements'
21 selection_2:
22 TargetObject|contains:
23 - '16000009'
24 - '250000e0'
25 condition: selection_1 and selection_2
26falsepositives:
27 - WMI initiating BCD changes
28level: high```
References
-
Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware...
Read More -
Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Herm…
Read More
Related rules
- Use of bcdedit to Disrupt Boot Processes
- WMIC Shadow Copy Deletion
- Event Log Manipulation Using Wevtutil