sigmahighHunting

Suspicious Reg Add BitLocker

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

MITRE ATT&CK

impact

Detection Query

selection:
  CommandLine|contains|all:
    - REG
    - ADD
    - \SOFTWARE\Policies\Microsoft\FVE
    - /v
    - /f
  CommandLine|contains:
    - EnableBDEWithNoTPM
    - UseAdvancedStartup
    - UseTPM
    - UseTPMKey
    - UseTPMKeyPIN
    - RecoveryKeyMessageSource
    - UseTPMPIN
    - RecoveryKeyMessage
condition: selection

Author

frack113

Created

2021-11-15

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/

Tags

attack.impactattack.t1486

Raw Content

title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
    - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'REG'
            - 'ADD'
            - '\SOFTWARE\Policies\Microsoft\FVE'
            - '/v'
            - '/f'
        CommandLine|contains:
            - 'EnableBDEWithNoTPM'
            - 'UseAdvancedStartup'
            - 'UseTPM'
            - 'UseTPMKey'
            - 'UseTPMKeyPIN'
            - 'RecoveryKeyMessageSource'
            - 'UseTPMPIN'
            - 'RecoveryKeyMessage'
    condition: selection
falsepositives:
    - Unlikely
level: high