manipulate boot configuration

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: manipulate boot configuration
    namespace: host-interaction/bootloader
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    references:
      - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options
    examples:
      - 7FBC17A09CF5320C515FC1C5BA42C8B3:0x40CA00
  features:
    - or:
      - and:
        - string: /bcdedit.exe/i
        - optional:
          - string: "/deletevalue safeboot"
      - and:
        - string: /boot.ini/i
        - optional:
          - api: kernel32.GetPrivateProfileStringA
          - api: kernel32.WritePrivateProfileString
          - or:
            - string: /default/i
            - string: /boot loader/i
            - string: /operating systems/i

last edited: 2023-11-24 10:34:28