This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Inhibit System Recovery N/A Impact Moderate

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis
D3-PLA Process Lineage Analysis

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

Pseudocode – detect attempts to add a certificate to a certificate store (Pseudocode, CAR native)

Pseudocode implementation of the splunk search below

processes = search Process:Create
bcdedit_commands = filter processes where (
  exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" )
output bcedit_commands

Splunk code (Splunk, Endpoint)

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user

Unit Tests

Test Case 1

Configurations: Using Splunk Attack Range

Replay the detection dataset using the Splunk attack range with the commands below

python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]

Test Case 2

Configurations: Using Invoke-AtomicRedTeam

execute the atomic test T1490 against a Windows target.

Invoke-AtomicTest T1490