Thursday, 7 February 2019

Threat Hunting #8 - Detecting traces of Boot Config Data changes

Changing Boot Config Data can be abused to enable unsigned kernel drivers to be loaded by the kernel (RootKit).

BCD can be modified using multiple methods, most notably via WMIC or bcdedit.exe utility.

In few words, you will need to watch for the following changes in event 4826 (logged after the first system boot post the BCD changes):

  • Disable Integrity Checks: Yes
  • HyperVisor Debugging: Yes
  • Kernel Debugging: Yes


No comments:

Post a Comment