Potential System Tampering via File Modification

This detection identifies attempts to delete or modify critical files used during the Windows boot process. The rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules. It also supports Microsoft Defender XDR and SentinelOne Cloud Funnel. Modification or deletion of files such as winload.exe, winload.efi, ntoskrnl.exe, and bootmgr located in the Windows directory could indicate a destructive attack aimed at rendering the system unable to boot.

Attack Chain

1. Attacker gains initial access to the system via an exploit or compromised credentials (not covered by this detection).
2. Attacker escalates privileges to gain necessary permissions to modify system files.
3. Attacker uses a script or executable to target critical boot files.
4. The script/executable attempts to modify or delete winload.exe, winload.efi, ntoskrnl.exe, or bootmgr.
5. The malicious process bypasses standard system protections, potentially exploiting vulnerabilities.
6. The targeted boot files are either modified, corrupted, or deleted.
7. The system becomes unstable or completely unbootable upon the next restart.
8. The attacker achieves their objective of disrupting system availability.

Impact

Successful modification or deletion of critical Windows boot files can render the system unbootable, leading to significant downtime and data loss. This can impact individual workstations or entire server infrastructure, depending on the scope of the attack. The modification of OS files will lead to complete system failure, which can require a full reinstallation, thus leading to complete loss of productivity.

Recommendation

• Enable and configure file integrity monitoring on critical boot files (winload.exe, winload.efi, ntoskrnl.exe, bootmgr) to ensure proper logging is available to detect tampering, as required by the rule.
• Deploy the Sigma rule “Potential System Tampering via File Modification” to your SIEM and tune false positives based on legitimate software updates or system maintenance activities.
• Investigate any alerts generated by the Sigma rule, prioritizing events where the modifying process is unsigned or originates from an unusual path, as described in the rule’s description.
• Review and harden access controls on critical system files and directories to prevent unauthorized modification, reducing the attack surface.