Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Detects potential malicious and unauthorized usage of bcdedit.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@neu5ronCreated Thu Feb 07Updated Wed Feb 15c9fbe8e9-119d-40a6-9b59-dd58a5d84429windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_cli:
        CommandLine|contains:
            - 'delete'
            - 'deletevalue'
            - 'import'
            - 'safeboot'
            - 'network'
    condition: all of selection_*
References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
twitter.com
MITRE ATT&CK

Sub-techniques

T1542.003 · Bootkit
Rule Metadata
Rule ID
c9fbe8e9-119d-40a6-9b59-dd58a5d84429
Status
test
Level
medium
Type
Detection
Created
Thu Feb 07
Modified
Wed Feb 15
Author
@neu5ron
Path
rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml
Raw Tags
attack.defense-evasionattack.t1070attack.persistenceattack.t1542.003
View on GitHub