Boot Configuration Database (BCD) Manipulation - Registry Modification

 1title: Boot Configuration Database (BCD) Manipulation - Registry Modification
 2id: 99a9fbb6-62bf-4cb7-8406-a363bc14cbf3
 3status: experimental
 4description: Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)
 5references:
 6    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
 7    - https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/
 8author: Micah Babinski
 9date: 2022/11/22
10tags:
11    - attack.impact
12    - attack.t1490
13    - attack.g0092
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection_1:
19        EventType: 'SetValue'
20        TargetObject|contains: 'elements'
21    selection_2:
22        TargetObject|contains: 
23            - '16000009'
24            - '250000e0'
25    condition: selection_1 and selection_2
26falsepositives:
27    - WMI initiating BCD changes
28level: high```

References

• #StopRansomware: Hive Ransomware | CISA

  Summary Actions to Take Today to Mitigate Cyber Threats from Ransomware: • Prioritize remediating known exploited vulnerabilities. • Enable and enforce multifactor authentication with strong passwo...

  
  Read More

• Detecting BCD Changes To Inhibit System Recovery

  

  Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Herm…

  
  Read More

Related rules

• Use of bcdedit to Disrupt Boot Processes
• WMIC Shadow Copy Deletion
• Event Log Manipulation Using Wevtutil
• Secure Deletion with SDelete
• Overwriting the File with Dev Zero or Null