forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
delete_bootconf.py
45 lines (35 loc) · 1.68 KB
/
delete_bootconf.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
# Name: Boot Config Deletion With bcdedit
# RTA: delete_bootconf.py
# ATT&CK: T1107
# signal.rule.name: Modification of Boot Configuration
# Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot
# configuration, finally restoring the original.
from pathlib import Path
from . import RtaMetadata, common
metadata = RtaMetadata(
uuid="eaf71384-2e38-4970-b170-9645ccde1d2b",
platforms=["windows"],
endpoint=[],
siem=[{"rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "rule_name": "Modification of Boot Configuration"}],
techniques=["T1490"],
)
@common.requires_os(*metadata.platforms)
def main():
# Messing with the boot configuration is probably not a great idea so create a backup:
common.log("Exporting the boot configuration....")
bcdedit = "bcdedit.exe"
backup_file = Path("boot.cfg").resolve()
common.execute(["bcdedit.exe", "/export", backup_file])
# WARNING: this is a destructive command which might be super bad to run
common.log("Changing boot configuration", log_type="!")
common.execute([bcdedit, "/set", "{current}", "bootstatuspolicy", "ignoreallfailures"])
common.execute([bcdedit, "/set", "{current}", "recoveryenabled", "no"])
# Restore the boot configuration
common.log("Restoring boot configuration from %s" % backup_file, log_type="-")
common.execute([bcdedit, "/import", backup_file])
if __name__ == "__main__":
exit(main())