← Back to Explore
sigmahighTTP
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Detection Query
selection_img:
- Image|endswith: \bcdedit.exe
- OriginalFileName: bcdedit.exe
selection_set:
CommandLine|contains: set
selection_cli:
- CommandLine|contains|all:
- bootstatuspolicy
- ignoreallfailures
- CommandLine|contains|all:
- recoveryenabled
- no
condition: all of selection_*
Author
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
Created
2019-10-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1490
Raw Content
title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_set:
CommandLine|contains: 'set'
selection_cli:
- CommandLine|contains|all:
- 'bootstatuspolicy'
- 'ignoreallfailures'
- CommandLine|contains|all:
- 'recoveryenabled'
- 'no'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
simulation:
- type: atomic-red-team
name: Windows - Disable Windows Recovery Console Repair
technique: T1490
atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81