Modification of Boot Configuration using Bcdedit
Adversaries may modify the Boot Configuration Data (BCD) store using bcdedit.exe to disable recovery options, which is often associated with ransomware or destructive attacks, preventing system recovery.
Attackers or malware may use bcdedit.exe to modify the boot configuration data (BCD) to disable Windows Error Recovery or to ignore boot failures. This action is often seen in destructive attacks, specifically associated with ransomware campaigns, to prevent the system from properly recovering after encryption or other malicious activity. By modifying the BCD, attackers aim to inhibit system recovery, making remediation more difficult and increasing the impact of their attack. The rule 69c251fb-a5d6-4035-b5ec-40438bd829ff aims to identify this behavior.
Attack Chain
- Initial Access: The attacker gains access to the system through various methods, such as exploiting a vulnerability or using stolen credentials.
- Privilege Escalation: The attacker escalates their privileges to administrator level to execute commands like
bcdedit.exe. - Command Execution: The attacker executes
bcdedit.exewith specific arguments to modify the boot configuration. - Disabling Recovery: The command
bcdedit.exe /set {default} recoveryenabled Nodisables Windows Error Recovery. - Ignoring Boot Failures: The command
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailuresconfigures the system to ignore boot failures. - System Compromise: The attacker deploys ransomware or executes other destructive actions.
- System Reboot: The system is rebooted, and the modified boot configuration prevents normal recovery processes.
Impact
Successful modification of the boot configuration can lead to the inability to recover the system using standard recovery options. This can result in data loss, extended downtime, and increased costs associated with system restoration. This technique is often associated with ransomware attacks and can amplify their impact. The risk score associated with this activity is 21, as it severely hinders the ability to restore an impacted system.
Recommendation
- Enable Sysmon process creation logging to capture the execution of
bcdedit.exe(Data Source: Sysmon). - Deploy the Sigma rule "Modification of Boot Configuration with Bcdedit" to your SIEM and tune for your environment.
- Investigate any instance of
bcdedit.exebeing used to modifybootstatuspolicyorrecoveryenabled(query). - Monitor Windows Security Event Logs for process creation events related to
bcdedit.exewith the specified arguments (Data Source: Windows Security Event Logs). - Consider isolating any host where this activity is detected to prevent further destructive actions.
Detection coverage 2
Modification of Boot Configuration with Bcdedit
lowDetects the use of bcdedit.exe to modify boot configuration to disable recovery options.
Bcdedit Execution from Suspicious Location
mediumDetects bcdedit.exe execution from unusual directories.
Detection queries are available on the platform. Get full rules →