Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
Sigma rule (View on GitHub)
1title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
2id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
3status: test
4description: Detects potential malicious and unauthorized usage of bcdedit.exe
5references:
6 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
7 - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
8author: '@neu5ron'
9date: 2019-02-07
10modified: 2023-02-15
11tags:
12 - attack.defense-evasion
13 - attack.t1070
14 - attack.persistence
15 - attack.t1542.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\bcdedit.exe'
22 - OriginalFileName: 'bcdedit.exe'
23 selection_cli:
24 CommandLine|contains:
25 - 'delete'
26 - 'deletevalue'
27 - 'import'
28 - 'safeboot'
29 - 'network'
30 condition: all of selection_*
31level: medium
References
-
The BCDEdit /set command sets a boot entry option value in the Windows boot configuration data store (BCD) for Windows.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow