Skip to main content
Splunk Lantern

Bcdedit boot recovery modifications

This search looks for flags that ransomware passes to bcdedit.exe, a command-line tool for managing boot configuration data (BCD) stores. Ransomware can use this tool to modify Windows error recovery boot configurations on a target machine. This tactic is typically used by ransomware to prevent recovery of encrypted files.

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=bcdedit.exe "Processes.process"="*recoveryenabled*" "Processes.process"="* no*") BY "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=bcdedit.exe "Processes.process"="*recoveryenabled*" "Processes.process"="* no*") BY "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"  Query the Endpoint.Processes data model object to search for flags passed to bcedit.exe. Sort first by process name, then process, parent process name, destination, and user.
| rename "Processes.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

You can tune your search results based on parent process names. False positives in this search may occur because administrators can modify boot configurations for legitimate reasons.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.