Thursday, 7 February 2019

Threat Hunting #8 - Detecting traces of Boot Config Data changes


Changing Boot Config Data can be abused to enable unsigned kernel drivers to be loaded by the kernel (RootKit).

BCD can be modified using multiple methods, most notably via WMIC or bcdedit.exe utility.

In few words, you will need to watch for the following changes in event 4826 (logged after the first system boot post the BCD changes):

  • Disable Integrity Checks: Yes
  • HyperVisor Debugging: Yes
  • Kernel Debugging: Yes




References:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4826

No comments:

Post a Comment