CySecurity News – Latest Information Security and Hacking Incidents
The research by Binary Defense entails the various threat hunting techniques and detections for a regularly reported Ransomware-as-a-Service (RaaS) methodology. Using the built-in Windows programme bcdedit.exe (Boot Configuration Data Edit), threat actors have been spotted changing boot loader configurations to:
- Modify Boot Status Policies
- Disable Recovery Mode
- Enable Safe Mode
Threat actors (such as Snatch and REvil) may not need to utilise bcdedit to adjust boot loader configurations if they implement code that directly modifies the Windows registry keys that define such configurations, according to the hypothesis employed by Binary Defense to construct the hunting queries. Last year, the researcher am0nsec published a proof-of-concept code that showed how to do exactly this on Windows 10 PCs. Binary Defense wanted to make sure that they could detect such behaviour not only on Windows 7, 8.1, and 11 computers but also on systems where the necessary registry key is stored under a different Globally Unique Identifier (GUID).
The research builds on the work of Specter Ops researcher Michael Barclay, who published an in-depth blog about hunting for such activities on Windows 10 earlier this year. Below are the bcdedit.exe commands that attackers employ to change boot configuration. Other tools, such as the Windows System Configuration Utility (msconfig.exe)
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: