Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
Sigma rule (View on GitHub)
1title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
2id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
3status: test
4description: Detects potential malicious and unauthorized usage of bcdedit.exe
5references:
6 - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
7 - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
8author: '@neu5ron'
9date: 2019/02/07
10modified: 2023/02/15
11tags:
12 - attack.defense_evasion
13 - attack.t1070
14 - attack.persistence
15 - attack.t1542.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\bcdedit.exe'
22 - OriginalFileName: 'bcdedit.exe'
23 selection_cli:
24 CommandLine|contains:
25 - 'delete'
26 - 'deletevalue'
27 - 'import'
28 - 'safeboot'
29 - 'network'
30 condition: all of selection_*
31level: medium
References
-
The BCDEdit /set command sets a boot entry option value in the Windows boot configuration data store (BCD) for Windows.
Read More -
Related rules
- Possible Privilege Escalation via Weak Service Permissions
- Fax Service DLL Search Order Hijack
- Terminal Server Client Connection History Cleared - Registry
- Remove Exported Mailbox from Exchange Webserver
- Okta MFA Reset or Deactivated