Skip to content

Enrich ATT&CK tags (T1654/T1652) and dedupe bcdedit safeboot logic#6091

Open
einlamye wants to merge 2 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr2-attack-tag-enrichment-bcdedit
Open

Enrich ATT&CK tags (T1654/T1652) and dedupe bcdedit safeboot logic#6091
einlamye wants to merge 2 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr2-attack-tag-enrichment-bcdedit

Conversation

@einlamye

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

Small correctness/quality update to three process_creation rules:

  • Bcdedit MBR tampering: removed the false-positive-prone bare network keyword and moved the safeboot keyword out to a dedicated, higher-severity Safe Mode rule (added in a companion PR), and added a falsepositives entry.
  • EventLog Query and DriverQuery recon: added missing ATT&CK technique tags (T1654 Log Enumeration / attack.discovery, and T1652 Device Driver Discovery respectively).

Changelog

update: EventLog Query Requests By Builtin Utilities - add attack.discovery and T1654 tags
update: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE - remove FP-prone 'network' keyword, move 'safeboot' to dedicated rule, add falsepositives
update: Potential Recon Activity Using DriverQuery.EXE - add T1652 tag

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules Threat-Hunting labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Threat-Hunting Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant