← Back to Explore
sigmamediumHunting
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
Detection Query
selection_img:
- Image|endswith: \bcdedit.exe
- OriginalFileName: bcdedit.exe
selection_cli:
CommandLine|contains:
- delete
- deletevalue
- import
- safeboot
- network
condition: all of selection_*
Author
@neu5ron
Created
2019-02-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1070attack.persistenceattack.t1542.003
Raw Content
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1070
- attack.persistence
- attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_cli:
CommandLine|contains:
- 'delete'
- 'deletevalue'
- 'import'
- 'safeboot'
- 'network'
condition: all of selection_*
level: medium