# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Boot Config Deletion With bcdedit
# RTA: delete_bootconf.py
# ATT&CK: T1107
# signal.rule.name: Modification of Boot Configuration
# Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot
#  configuration, finally restoring the original.

from pathlib import Path

from . import RtaMetadata, common

metadata = RtaMetadata(
    uuid="eaf71384-2e38-4970-b170-9645ccde1d2b",
    platforms=["windows"],
    endpoint=[],
    siem=[{"rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "rule_name": "Modification of Boot Configuration"}],
    techniques=["T1490"],
)


@common.requires_os(*metadata.platforms)
def main():
    # Messing with the boot configuration is probably not a great idea so create a backup:
    common.log("Exporting the boot configuration....")
    bcdedit = "bcdedit.exe"
    backup_file = Path("boot.cfg").resolve()
    common.execute(["bcdedit.exe", "/export", backup_file])

    # WARNING: this is a destructive command which might be super bad to run
    common.log("Changing boot configuration", log_type="!")
    common.execute([bcdedit, "/set", "{current}", "bootstatuspolicy", "ignoreallfailures"])
    common.execute([bcdedit, "/set", "{current}", "recoveryenabled", "no"])

    # Restore the boot configuration
    common.log("Restoring boot configuration from %s" % backup_file, log_type="-")
    common.execute([bcdedit, "/import", backup_file])


if __name__ == "__main__":
    exit(main())