Adversaries may use BitLocker encryption mechanisms to obscure malicious activities by modifying registry settings through a .bat file, potentially masking their presence within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics that leverage BitLocker as a cover.
KQL Query
DeviceProcessEvents
| where FileName =~ "reg.exe"
// Search for BitLocker encryption being enabled without the chip
and ProcessCommandLine has "EnableBDEWithNoTPM"
// Using contains due to variant forms of capturing 1: 1, 0x1
and (ProcessCommandLine has "true" or ProcessCommandLine contains "1")
// Search for this activity being launched by batch scripts, typically as: C:\Windows\[name].bat
| where InitiatingProcessCommandLine has_all (@"C:\Windows\", ".bat")
id: 476c9326-c53d-495c-8a54-c304a43cb446
name: Suspicious Bitlocker Encryption
description: |
Looks for potential instances of bitlocker modifying registry settings to allow encryption, where it's executed via a .bat file.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
DeviceProcessEvents
| where FileName =~ "reg.exe"
// Search for BitLocker encryption being enabled without the chip
and ProcessCommandLine has "EnableBDEWithNoTPM"
// Using contains due to variant forms of capturing 1: 1, 0x1
and (ProcessCommandLine has "true" or ProcessCommandLine contains "1")
// Search for this activity being launched by batch scripts, typically as: C:\Windows\[name].bat
| where InitiatingProcessCommandLine has_all (@"C:\Windows\", ".bat")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: BitLocker Drive Encryption Setup via Group Policy
Description: An administrator configures BitLocker through Group Policy, which may trigger registry changes associated with BitLocker encryption.
Filter/Exclusion: Check for the presence of gpedit.msc or Group Policy related processes, or filter by registry keys under HKLM\SOFTWARE\Policies\Microsoft\FVE.
Scenario: Scheduled BitLocker Encryption Job
Description: A legitimate scheduled task runs a script to encrypt a drive using BitLocker, which may match the detection logic.
Filter/Exclusion: Filter by Task Scheduler process (schtasks.exe) or check for the presence of BitLocker in the command line or script name.
Scenario: BitLocker Management via PowerShell
Description: An admin uses PowerShell to manage BitLocker settings, which may involve registry modifications.
Filter/Exclusion: Filter by powershell.exe with the -Command parameter and check for BitLocker or Manage-BitLocker in the command line.
Scenario: System Maintenance Task (e.g., Disk Cleanup)
Description: A system maintenance task or disk cleanup utility may inadvertently modify registry keys that BitLocker checks.
Filter/Exclusion: Filter by cleanmgr.exe or diskcleanup.exe and exclude registry modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitLocker.
Scenario: Third-Party BitLocker Management Tool
Description: A third-party tool used for BitLocker management (e.g., Microsoft Endpoint Manager) may trigger registry changes during configuration.
Filter/Exclusion: Check for known third-party tools or filter by process names like Microsoft Intune or Configuration Manager (ccmexec.exe).