Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Sigma rule (View on GitHub)
1title: Boot Configuration Tampering Via Bcdedit.EXE
2id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
3status: stable
4description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
7 - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
8author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
9date: 2019-10-24
10modified: 2023-02-15
11tags:
12 - attack.impact
13 - attack.t1490
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\bcdedit.exe'
20 - OriginalFileName: 'bcdedit.exe'
21 selection_set:
22 CommandLine|contains: 'set'
23 selection_cli:
24 - CommandLine|contains|all:
25 - 'bootstatuspolicy'
26 - 'ignoreallfailures'
27 - CommandLine|contains|all:
28 - 'recoveryenabled'
29 - 'no'
30 condition: all of selection_*
31fields:
32 - ComputerName
33 - User
34 - CommandLine
35falsepositives:
36 - Unlikely
37level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE
- Delete Volume Shadow Copies Via WMI With PowerShell