rules/windows/process_creation/proc_creation_win_bootconf_mod.yml

title: Modification of Boot Configuration
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: test
description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
  - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
date: 2019/10/24
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    Image|endswith: \bcdedit.exe
    CommandLine|contains: set
  selection2:
    - CommandLine|contains|all:
      - bootstatuspolicy
      - ignoreallfailures
    - CommandLine|contains|all:
      - recoveryenabled
      - 'no'
  condition: selection1 and selection2
fields:
  - ComputerName
  - User
  - CommandLine
falsepositives:
  - Unlikely
level: high
tags:
  - attack.impact
  - attack.t1490
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`title: Modification of Boot Configuration`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 1444443e-6757-43e4-9ea4-c8fc705f79a2`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
			`description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community`
Update win_bootconf_mod.yml 2019-11-11 01:53:46 +03:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md`
			`- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html`
			`date: 2019/10/24`
			`modified: 2021/11/27`
OSCD QA wave 3 2020-01-19 22:34:16 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection1:`
			`Image\|endswith: \bcdedit.exe`
			`CommandLine\|contains: set`
			`selection2:`
			`- CommandLine\|contains\|all:`
			`- bootstatuspolicy`
			`- ignoreallfailures`
			`- CommandLine\|contains\|all:`
			`- recoveryenabled`
			`- 'no'`
			`condition: selection1 and selection2`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- ComputerName`
			`- User`
			`- CommandLine`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unlikely`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.impact`
			`- attack.t1490`