← Library
sigmaDRL-1.1from SigmaHQ/sigma

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Quality
74
FP risk
Forks
0
Views
0
ATT&CK techniques
T1490
Rule sourcerules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml
title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_set:
        CommandLine|contains: 'set'
    selection_cli:
        - CommandLine|contains|all:
              - 'bootstatuspolicy'
              - 'ignoreallfailures'
        - CommandLine|contains|all:
              - 'recoveryenabled'
              - 'no'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
simulation:
    - type: atomic-red-team
      name: Windows - Disable Windows Recovery Console Repair
      technique: T1490
      atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81
Boot Configuration Tampering Via Bcdedit.EXE · SIGMA rule | DetectionLint