← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Detects potential malicious and unauthorized usage of bcdedit.exe

Quality
82
FP risk
Forks
0
Views
0
ATT&CK techniques
T1070T1542.003
Rule sourcerules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
    - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
    - attack.defense-evasion
    - attack.t1070
    - attack.persistence
    - attack.t1542.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_cli:
        CommandLine|contains:
            - 'delete'
            - 'deletevalue'
            - 'import'
            - 'safeboot'
            - 'network'
    condition: all of selection_*
level: medium