SigmaHQ/rules/windows/process_creation/win_susp_bcdedit.yml

title: Possible Ransomware or Unauthorized MBR Modifications
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: experimental
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
references:
    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
author: '@neu5ron'
date: 2019/02/07
tags:
    - attack.defense_evasion
    - attack.t1070
    - attack.persistence
    - attack.t1067
    - attack.t1551
    - attack.t1542.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: '*\bcdedit.exe'
        CommandLine:
            - '*delete*'
            - '*deletevalue*'
            - '*import*'
    condition: selection
level: medium
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Possible Ransomware or Unauthorized MBR Modifications`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`status: experimental`
			`description: Detects, possibly, malicious unauthorized usage of bcdedit.exe`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`author: '@neu5ron'`
			`date: 2019/02/07`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1070`
			`- attack.persistence`
			`- attack.t1067`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1551`
			`- attack.t1542.003`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 16:35:32 +00:00			`Image: '*\bcdedit.exe'`
			`CommandLine:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- 'delete'`
			`- 'deletevalue'`
			`- 'import'`
			`condition: selection`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`level: medium`