Query Details
Detect Bcedit Commands Related To Boot Configuration
Query
**Detect bcedit commands related to boot configuration** This KQL query is designed to detect adversaries attempt to modify the boot configuration using bcdedit commands. Such changes are often used to disable recovery options or suppress error messages after encryption, helping ransomware persist stealthily across reboot. ``` DeviceProcessEvents | where ProcessCommandLine startswith "bcdedit" ```
Explanation
This query is looking through a collection of device process events to find any instances where a command was executed that starts with "bcdedit". The "bcdedit" command is used to modify boot configuration settings on a computer. By identifying these commands, the query aims to detect any attempts by attackers to change boot settings, which could be used to disable recovery options or hide error messages, particularly in the context of ransomware trying to remain hidden after a system restart.
Details
Sergio Albea
Released: July 2, 2025
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
startswith