Potential System Tampering via File Modification
Attackers may attempt to modify or delete critical Windows boot files such as 'winload.exe' or 'ntoskrnl.exe' to inhibit system recovery and cause data destruction, leading to a denial-of-service condition.
This threat brief addresses the potential for system tampering through the modification or deletion of critical Windows boot files. The focus is on detecting activity that indicates an attacker is attempting to prevent a system from booting, a common tactic employed in destructive attacks or as a final step in a ransomware deployment. Specifically, the rule from Elastic detects changes to files like winload.exe, winlod.efi, ntoskrnl.exe, and bootmgr within the Windows directory. The actions are often performed by a threat actor with elevated privileges or by malware designed to render a system unusable. Identifying and responding to these attempts is crucial to prevent significant data loss and system downtime. This activity can be difficult to detect because patching systems will modify the same files.
Attack Chain
- Initial Access: The attacker gains initial access to the system through exploitation of a vulnerability or compromised credentials (not directly covered in this detection).
- Privilege Escalation: The attacker escalates privileges to gain administrative or SYSTEM-level access, which is necessary to modify critical system files.
- Disable Security Controls: Attempts to disable or bypass security controls to avoid detection or interference with the file modification process (not directly covered in this detection).
- Identify Target Files: The attacker identifies critical boot files, such as
winload.exe,winlod.efi,ntoskrnl.exe, andbootmgr, located in theC:\Windows\directory. - Modify/Delete Files: The attacker modifies or deletes the identified boot files, potentially using tools like
PowerShell,cmd.exeor custom malware. - System Reboot: The attacker triggers a system reboot to activate the changes and prevent the system from booting successfully.
- Denial of Service: The system fails to boot, resulting in a denial-of-service condition and potential data loss or corruption.
Impact
Successful execution of this attack can lead to a complete system failure, requiring extensive recovery efforts or a full system rebuild. This can result in significant downtime, data loss, and financial impact, especially for critical servers or systems. The damage can extend beyond a single machine if the attacker is able to propagate the file modification across multiple systems within the network. Organizations in all sectors are at risk, with those heavily reliant on Windows-based infrastructure being particularly vulnerable.
Recommendation
- Enable Sysmon file-creation and file-modification logging to detect changes to critical boot files, as outlined in the rule description (Data Source: Sysmon).
- Deploy the Sigma rule "Potential System Tampering via File Modification" to your SIEM and tune the exclusions for your environment (rule provided below).
- Investigate any alerts generated by the rule, focusing on identifying the process responsible for the file modification and its parent processes (rule note).
- Implement and enforce the principle of least privilege to minimize the number of accounts with the ability to modify critical system files (rule note).
- Regularly review and update the list of excluded processes in the rule to account for legitimate software updates or system maintenance activities (rule query).
Detection coverage 2
Potential System Tampering via File Modification
highDetects modification or deletion of critical Windows boot files which may prevent the system from booting.
Potential System Tampering via File Deletion
highDetects deletion of critical Windows boot files which may prevent the system from booting.
Detection queries are available on the platform. Get full rules →