Use of bcdedit to Disrupt Boot Processes

 1title: Use of bcdedit to Disrupt Boot Processes
 2id: e28f76ad-bdd9-4e56-bd09-ce8b9b853b7f
 3status: experimental
 4description: Detects the use of bcdedit to disrupt normal boot processes.
 5references:
 6    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
 7    - https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/
 8author: Micah Babinski
 9date: 2022/11/22
10tags:
11    - attack.impact
12    - attack.t1490
13    - attack.g0092
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_exe:
19        Image|endswith: '\bcdedit.exe'
20        CommandLine|contains|windash: '/set'
21    selection_ignorefailure:
22        CommandLine|contains: 'bootstatuspolicy'
23        CommandLine|re: 'ignore[a-zA-Z]*failures'
24    selection_disablerecovery:
25        CommandLine|contains|all:
26            - 'recoveryenabled'
27            - 'no'
28    condition: selection_exe and (selection_ignorefailure or selection_disablerecovery)
29falsepositives:
30    - Unknown
31level: high```

References

• #StopRansomware: Hive Ransomware | CISA

  Summary Actions to Take Today to Mitigate Cyber Threats from Ransomware: • Prioritize remediating known exploited vulnerabilities. • Enable and enforce multifactor authentication with strong passwo...

  
  Read More

• Detecting BCD Changes To Inhibit System Recovery

  

  Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Herm…

  
  Read More

Related rules

• Boot Configuration Database (BCD) Manipulation - Registry Modification
• WMIC Shadow Copy Deletion
• Event Log Manipulation Using Wevtutil
• Secure Deletion with SDelete
• Overwriting the File with Dev Zero or Null