BCDEdit Failure Recovery Modification
Description
This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-12-21
- Author: Michael Haag, Splunk
- ID: 809b31d2-5462-11eb-ae93-0242ac130002
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1490 | Inhibit System Recovery | Impact |
Search
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bcdedit_failure_recovery_modification_filter`
Associated Analytic Story
How To Implement
You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.
Required field
- _time
- Processes.process_name
- Processes.process
- Processes.parent_process_name
- Processes.dest
- Processes.user
Kill Chain Phase
- Actions on Objectives
Known False Positives
Administrators may modify the boot configuration.
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 80.0 | 100 | 80 | An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1