Adversaries may retrieve BitLocker keys to decrypt encrypted data and exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data breaches and unauthorized access to encrypted assets.
KQL Query
AuditLogs
| where OperationName =~ "Read BitLocker key"
| extend userPrincipalName = tolower(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend KeyId = tostring(TargetResources[0].displayName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| summarize keys_accessed=dcount(KeyId), ipAddresses=make_set(ipAddress) by userPrincipalName
| join kind=leftouter (SecurityAlert
| where ProviderName =~ "IPC"
| extend userPrincipalName = tolower(tostring(parse_json(ExtendedProperties).["User Account"]))
| summarize user_alert_count=count() by userPrincipalName) on userPrincipalName
| project userPrincipalName, keys_accessed, ipAddresses, user_alert_count
id: 8ea8b2af-f1ce-4464-964c-6763641cc4f6
name: BitLocker Key Retrieval
description: |
'Looks for users retrieving BitLocker keys. Enriches these logs with a summary of alerts associated with the user accessing the keys.
Use this query to start looking for anomalous patterns of key retrieval.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- CredentialAccess
relevantTechniques:
- T1555
query: |
AuditLogs
| where OperationName =~ "Read BitLocker key"
| extend userPrincipalName = tolower(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend KeyId = tostring(TargetResources[0].displayName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| summarize keys_accessed=dcount(KeyId), ipAddresses=make_set(ipAddress) by userPrincipalName
| join kind=leftouter (SecurityAlert
| where ProviderName =~ "IPC"
| extend userPrincipalName = tolower(tostring(parse_json(ExtendedProperties).["User Account"]))
| summarize user_alert_count=count() by userPrincipalName) on userPrincipalName
| project userPrincipalName, keys_accessed, ipAddresses, user_alert_count
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: userPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ipAddress
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
SecurityAlert | Ensure this data connector is enabled |
Scenario: System Administrator Retrieving BitLocker Keys for Recovery Purposes
Description: A system admin is accessing BitLocker keys as part of a recovery process for a locked drive.
Filter/Exclusion: Check for the presence of the recovery keyword in the access context or filter by user roles (e.g., admin, IT, security).
Scenario: Scheduled Job to Back Up BitLocker Keys
Description: A scheduled task or script is configured to periodically back up BitLocker keys to a secure location.
Filter/Exclusion: Filter by job names (e.g., BackupBitLockerKeys, KeyBackupJob) or check for scheduled task execution times.
Scenario: User Accessing BitLocker Keys via PowerShell for Troubleshooting
Description: A user is using PowerShell (e.g., manage-bde or Get-BitLockerKeyProtector) to troubleshoot a BitLocker-encrypted drive.
Filter/Exclusion: Filter by command-line tools (e.g., manage-bde, Get-BitLockerKeyProtector) or user roles (e.g., support, helpdesk).
Scenario: BitLocker Key Retrieval via Microsoft Intune or Azure AD for Device Management
Description: A device management tool like Microsoft Intune or Azure AD is retrieving BitLocker keys as part of device enrollment or policy enforcement.
Filter/Exclusion: Filter by service names (e.g., Intune, Azure AD, Microsoft Endpoint Manager) or check for device management-related activity.
Scenario: BitLocker Key Access for Forensic Investigation
Description: A forensic analyst is accessing BitLocker keys as part of an investigation into a security incident.
Filter/Exclusion: Filter by user roles (e.g., forensic, `