The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Mknod Process Activity MsBuild Making Network Connections »

› › ›

Modification of Boot Configuration

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Modification of Boot Configuration

edit

Identifies use of bcdedit.exe to delete boot configuration data. Malware and attackers sometimes use this tactic as a destructive technique.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Rule query

edit

event.action:"Process Create (rule: ProcessCreate)" and
process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy
and ignoreallfailures or no and recoveryenabled))

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: File Deletion
- ID: T1107
- Reference URL: https://attack.mitre.org/techniques/T1107/

« Mknod Process Activity MsBuild Making Network Connections »