-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_bcdedit_boot_conf_tamper.yml
More file actions
38 lines (38 loc) · 1.39 KB
/
proc_creation_win_bcdedit_boot_conf_tamper.yml
File metadata and controls
38 lines (38 loc) · 1.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_set:
CommandLine|contains: 'set'
selection_cli:
- CommandLine|contains|all:
- 'bootstatuspolicy'
- 'ignoreallfailures'
- CommandLine|contains|all:
- 'recoveryenabled'
- 'no'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
simulation:
- type: atomic-red-team
name: Windows - Disable Windows Recovery Console Repair
technique: T1490
atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81