title: Possible Ransomware or Unauthorized MBR Modifications
author: '@neu5ron'
date: 2019/02/07
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\bcdedit.exe'
    SELECTION_3:
        CommandLine: '*delete*'
    SELECTION_4:
        CommandLine: '*deletevalue*'
    SELECTION_5:
        CommandLine: '*import*'
    SELECTION_6:
        CommandLine: '*safeboot*'
    SELECTION_7:
        CommandLine: '*network*'
    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7))
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
level: medium
logsource:
    category: process_creation
    product: windows
modified: 2021/06/18
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
status: experimental
tags:
- attack.defense_evasion
- attack.t1070
- attack.persistence
- attack.t1542.003
- attack.t1067
yml_filename: win_susp_bcdedit.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation