SigmaHQ/wazuh/rules/sigma_win_bootconf_mod.yml

alert:
- debug
description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
filter:
- query:
    query_string:
      query: ((data.win.eventdata.image.keyword:*\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:*set*) AND ((data.win.eventdata.commandLine.keyword:*bootstatuspolicy* AND data.win.eventdata.commandLine.keyword:*ignoreallfailures*) OR (data.win.eventdata.commandLine.keyword:*recoveryenabled* AND data.win.eventdata.commandLine.keyword:*no*)))
index: wazuh-alerts-3.x-*
name: 1444443e-6757-43e4-9ea4-c8fc705f79a2_0
priority: 2
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.`
			`filter:`
			`- query:`
			`query_string:`
			`query: ((data.win.eventdata.image.keyword:\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:set) AND ((data.win.eventdata.commandLine.keyword:bootstatuspolicy* AND data.win.eventdata.commandLine.keyword:ignoreallfailures) OR (data.win.eventdata.commandLine.keyword:recoveryenabled AND data.win.eventdata.commandLine.keyword:no)))`
			`index: wazuh-alerts-3.x-*`
			`name: 1444443e-6757-43e4-9ea4-c8fc705f79a2_0`
			`priority: 2`
			`realert:`
			`minutes: 0`
			`type: any`