Prevent Automatic Repair Mode Using Bcdedit

Prevent Automatic Repair Mode Using Bcdedit

Description

This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode.

   Help

Prevent Automatic Repair Mode Using Bcdedit Help

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed bcdedit.exe may be used.

   Search

Open in Search