Techniques
Sample rules
Windows BootLoader Inventory
- source: splunk
- technicques:
- T1542.001
- T1542
Description
The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it.
Detection logic
`bootloader_inventory`
| stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_bootloader_inventory_filter`