From 4de4fdff033cea98973068fe32af607e9e4e6f50 Mon Sep 17 00:00:00 2001 From: ali AtashGar Date: Sun, 23 Nov 2025 16:44:30 +0000 Subject: [PATCH 01/12] detection(experimental): Lateral Movement via BitLocker COM Hijacking(T1546.015) --- ...l_movement_via_bitlocker_com_hijacking.yml | 126 ++++++++++++++++++ ...ent_via_bitlocker_com_hijacking_filter.yml | 3 + ...tlocker_com_hijacking_lateral_movement.yml | 32 +++++ 3 files changed, 161 insertions(+) create mode 100644 detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml create mode 100644 macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml create mode 100644 stories/bitlocker_com_hijacking_lateral_movement.yml diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml new file mode 100644 index 0000000000..bceeff69cf --- /dev/null +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -0,0 +1,126 @@ +--- +name: Lateral Movement via BitLocker COM Hijacking +id: 990d5907-c022-4358-9ada-f6e5e69514e8 +version: 1 +date: '2025-09-28' +author: AAtashGAr +status: experimental +description: |- + This detection identifies potential lateral movement activities + using BitLocker COM hijacking techniques. It monitors for changes + to the Remote Registry service, new registry values in CLSID paths, + handle operations on CLSIDs, and executions of specific processes like + baaupdate.exe and BdeUISrv.exe. These events are correlated by host to + detect sequences indicative of this attack vector. +type: Correlation +references: + - https://medium.com/@seripallychetan/bitlocker-com-hijack-a-new-frontier-in-lateral-movement-tactics-ac5039b18dc6 + - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ +search: | + (`wineventlog_security`) OR (`wineventlog_system`) \ + EventCode IN (7040, 4657, 4663, 4688) + [ search `wineventlog_system` EventCode=7040 service="Remote Registry" + | fields ComputerName + | dedup ComputerName + ] + | where + (EventCode=7040 AND service="Remote Registry") OR + (EventCode=4657 AND Operation_Type="New registry value created" + AND Object_Name LIKE "%CLSID%") OR + (EventCode=4663 AND Object_Name LIKE "%CLSID%") OR + (EventCode=4688 AND ( + (process_name="baaupdate.exe" AND parent_process_name="explorer.exe") OR + (process_name="BdeUISrv.exe" AND parent_process_name="svchost.exe") + )) + | eval srvchngstsTime=if(EventCode=7040, _time, null) + | eval regvlsetTime=if(EventCode=4657, _time, null) + | eval reghandleTime=if(EventCode=4663, _time, null) + | eval procexecTime=if(EventCode=4688, _time, null) + | eval ServiceMessage=if(EventCode=7040, Message, null) + | eval ProcessName_4663=if(EventCode=4663, process, null) + | eval CLSID_Path=if(EventCode IN (4657, 4663), Object_Name, null) + | stats + values(srvchngstsTime) AS srvchngstsTime + values(regvlsetTime) AS regvlsetTime + values(reghandleTime) AS reghandleTime + values(procexecTime) AS procexecTime + values(ServiceMessage) AS ServiceMessage + values(CLSID_Path) AS CLSID_Path + values(New_Value_Type) AS New_Value_Type + values(New_Value) AS New_Value + values(Access_Mask) AS AccessMask + values(ProcessName_4663) AS ProcessName_4663 + values(parent_process_id) AS parent_process_id + values(parent_process_name) AS parent_process_name + values(process_id) AS process_id + values(process_name) AS process_name + values(TimeDiff1) AS TimeDiff_Service_to_Registry + values(TimeDiff2) AS TimeDiff_Registry_to_Handle + values(TimeDiff3) AS TimeDiff_Handle_to_Process + count(eval(EventCode=7040)) AS SrvEvts + count(eval(EventCode=4657)) AS RegEvts + count(eval(EventCode=4663)) AS HdlEvts + count(eval(EventCode=4688)) AS ProcEvts + by ComputerName + | where SrvEvts>0 AND RegEvts>0 AND HdlEvts>0 AND ProcEvts>0 + | where isnotnull(CLSID_Path) + | eval srvchngstsTime=strftime(srvchngstsTime, "%Y-%m-%d %H:%M:%S") + | eval regvlsetTime=strftime(regvlsetTime, "%Y-%m-%d %H:%M:%S") + | eval reghandleTime=strftime(reghandleTime, "%Y-%m-%d %H:%M:%S") + | eval procexecTime=strftime(procexecTime, "%Y-%m-%d %H:%M:%S") + | table + ComputerName + srvchngstsTime + ServiceMessage + regvlsetTime + CLSID_Path + New_Value_Type + New_Value + reghandleTime + ProcessName_4663 + AccessMask + procexecTime + parent_process_id + parent_process_name + process_id + process_name + | rename + ComputerName AS "Host" + CLSID_Path AS "CLSID Path" + srvchngstsTime AS "Service Change Time" + ServiceMessage AS "Service Message" + regvlsetTime AS "Registry Change Time" + New_Value_Type AS "Registry Value Type" + New_Value AS "Registry Value" + reghandleTime AS "Handle Creation Time" + AccessMask AS "Access Mask" + ProcessName_4663 AS "Process Accessing Registry" + procexecTime AS "Process Execution Time" + parent_process_name AS "Parent Process" + process_name AS "Process Name" + parent_process_id AS "Parent Process ID" + process_id AS "Process ID" + | sort - "Service Change Time" + | `lateral_movement_via_bitlocker_com_hijacking_filter` +how_to_implement: |- + Ensure Windows Event Logs are being ingested into Splunk, + particularly from the Security channel (wineventlog). + This detection requires fields like EventCode, ComputerName, + service, Operation_Type, Object_Name, process_name, parent_process_name, + Message, process, New_Value_Type, New_Value, Access_Mask, parent_process_id, + and process_id. Use Sysmon or Endpoint data models for enhanced coverage. +known_false_positives: |- + Legitimate administrative activities may trigger this detection, + such as software installations or system configurations involving + Remote Registry and BitLocker components. Tune based on environment. +tags: + analytic_story: + - Active Directory Lateral Movement + asset_type: Endpoint + mitre_attack_id: + - T1546.015 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint diff --git a/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml b/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml new file mode 100644 index 0000000000..f401674559 --- /dev/null +++ b/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml @@ -0,0 +1,3 @@ +name: lateral_movement_via_bitlocker_com_hijacking_filter +definition: search * +description: Filter macro for Lateral Movement via BitLocker COM Hijacking detection diff --git a/stories/bitlocker_com_hijacking_lateral_movement.yml b/stories/bitlocker_com_hijacking_lateral_movement.yml new file mode 100644 index 0000000000..97e55816a7 --- /dev/null +++ b/stories/bitlocker_com_hijacking_lateral_movement.yml @@ -0,0 +1,32 @@ +--- +# Analytic Story: BitLocker COM Hijacking Lateral Movement +name: BitLocker COM Hijacking Lateral Movement +id: 9d1f4a2b-6e3c-4f7d-8a9b-1c5e7f8d3e4f +version: 1 +date: '2025-11-23' +author: Ali Atashgar (AAtashGar) +status: production +description: | + Detection content for the 2025 BitLocker COM hijacking lateral + movement technique using HKCU registry manipulation + of Network Unlock COM object. +narrative: | + In August 2025, a novel lateral movement technique was published that abuses + the BitLocker Network Unlock COM object + (CLSID {A7A63E5C-3877-4840-8727-C1EA9D7A4D50}). + Attackers enable RemoteRegistry,write a malicious DLL path to InprocServer32 + under HKCU\Software\Classes\CLSID for logged-on users, and trigger execution + via baaupdate.exe (from explorer.exe) or BdeUISrv.exe (from svchost.exe). + This analytic story provides detection for this advanced persistence and + lateral movement technique. +references: + - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ + - https://github.com/rtecCyberSec/BitlockMove +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 1439e50c0c991e5a9ae30faef6e6d9be1648221a Mon Sep 17 00:00:00 2001 From: ali AtashGar Date: Tue, 25 Nov 2025 22:50:39 +0000 Subject: [PATCH 02/12] Rule status changed from experimental to Production. --- .../lateral_movement_via_bitlocker_com_hijacking.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index bceeff69cf..9b32aef50d 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -3,8 +3,8 @@ name: Lateral Movement via BitLocker COM Hijacking id: 990d5907-c022-4358-9ada-f6e5e69514e8 version: 1 date: '2025-09-28' -author: AAtashGAr -status: experimental +author: AAtashGar +status: Production description: |- This detection identifies potential lateral movement activities using BitLocker COM hijacking techniques. It monitors for changes @@ -115,7 +115,7 @@ known_false_positives: |- Remote Registry and BitLocker components. Tune based on environment. tags: analytic_story: - - Active Directory Lateral Movement + - BitLocker COM Hijacking Lateral Movement asset_type: Endpoint mitre_attack_id: - T1546.015 From 95bbfa440629bb438dd9209ca927251c7146729d Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Sun, 28 Dec 2025 00:52:53 +0330 Subject: [PATCH 03/12] Update lateral_movement_via_bitlocker_com_hijacking.yml and fix status --- .../endpoint/lateral_movement_via_bitlocker_com_hijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index 9b32aef50d..5cc1116216 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -4,7 +4,7 @@ id: 990d5907-c022-4358-9ada-f6e5e69514e8 version: 1 date: '2025-09-28' author: AAtashGar -status: Production +status: production description: |- This detection identifies potential lateral movement activities using BitLocker COM hijacking techniques. It monitors for changes From 3fdda4e70bd9938fda8bf295a0e385d0ae76a897 Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Sat, 3 Jan 2026 22:17:20 +0330 Subject: [PATCH 04/12] 2 drilldown_searches added --- ...ateral_movement_via_bitlocker_com_hijacking.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index 5cc1116216..e2117947c0 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -113,6 +113,20 @@ known_false_positives: |- Legitimate administrative activities may trigger this detection, such as software installations or system configurations involving Remote Registry and BitLocker components. Tune based on environment. +drilldown_searches: +- name: View the detection results for - "$Host$" + search: '%original_detection_search% | search Host = "$Host$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$Host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$Host$" + starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - BitLocker COM Hijacking Lateral Movement From c75c51052d0cdab0f03b12fbe003ea69d5319668 Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Mon, 26 Jan 2026 13:23:43 +0330 Subject: [PATCH 05/12] Delete macro filter file --- macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml diff --git a/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml b/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml deleted file mode 100644 index f401674559..0000000000 --- a/macros/lateral_movement_via_bitlocker_com_hijacking_filter.yml +++ /dev/null @@ -1,3 +0,0 @@ -name: lateral_movement_via_bitlocker_com_hijacking_filter -definition: search * -description: Filter macro for Lateral Movement via BitLocker COM Hijacking detection From f6ffe69a086bdffbdec171da4d552f1bf933594e Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Mon, 26 Jan 2026 13:27:08 +0330 Subject: [PATCH 06/12] Modify author and type in lateral movement detection --- .../lateral_movement_via_bitlocker_com_hijacking.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index e2117947c0..b8ff4c848c 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -1,9 +1,8 @@ ---- name: Lateral Movement via BitLocker COM Hijacking id: 990d5907-c022-4358-9ada-f6e5e69514e8 version: 1 date: '2025-09-28' -author: AAtashGar +author: Ali Atashgar (AAtashGar), Github Community status: production description: |- This detection identifies potential lateral movement activities @@ -12,7 +11,7 @@ description: |- handle operations on CLSIDs, and executions of specific processes like baaupdate.exe and BdeUISrv.exe. These events are correlated by host to detect sequences indicative of this attack vector. -type: Correlation +type: TTP references: - https://medium.com/@seripallychetan/bitlocker-com-hijack-a-new-frontier-in-lateral-movement-tactics-ac5039b18dc6 - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ From 522c9f19725052fb8d997e84669bde60480dfb9a Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Mon, 26 Jan 2026 13:37:02 +0330 Subject: [PATCH 07/12] Enhance BitLocker COM Hijacking detection story Expanded the analytic story to provide detailed detection strategies for BitLocker COM hijacking lateral movement, including MITRE ATT&CK mappings and recommendations for monitoring and prevention. --- ...tlocker_com_hijacking_lateral_movement.yml | 39 ++++++++++++++++--- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/stories/bitlocker_com_hijacking_lateral_movement.yml b/stories/bitlocker_com_hijacking_lateral_movement.yml index 97e55816a7..9164a18f77 100644 --- a/stories/bitlocker_com_hijacking_lateral_movement.yml +++ b/stories/bitlocker_com_hijacking_lateral_movement.yml @@ -1,15 +1,42 @@ ---- -# Analytic Story: BitLocker COM Hijacking Lateral Movement name: BitLocker COM Hijacking Lateral Movement id: 9d1f4a2b-6e3c-4f7d-8a9b-1c5e7f8d3e4f version: 1 date: '2025-11-23' -author: Ali Atashgar (AAtashGar) +author: Ali Atashgar (AAtashGar), Github Community status: production description: | - Detection content for the 2025 BitLocker COM hijacking lateral - movement technique using HKCU registry manipulation - of Network Unlock COM object. + This Analytic Story focuses on detecting lateral movement via exploitation of BitLocker COM Hijacking + (MITRE ATT&CK Technique **T1546.015** – Event Triggered Execution: Component Object Model Hijacking) + a technique observed in 2025 campaigns. Attackers modify registry values under HKCU associated with + a specific BitLocker-related CLSID (`{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}`) + hijacking legitimate BitLocker processes such as `baaupdate.exe` or `BdeUISrv.exe`. + This allows malicious code to execute in the context of a high-privilege system process + facilitating lateral movement across Windows environments—especially + after gaining initial access to an endpoint. + + The detection correlates the following suspicious behaviors on the same host: + - Registry handle operations (e.g., SetInformation, + CreateFile) targeting the hijacked CLSID key in HKCU + - Subsequent execution of BitLocker-related binaries (baaupdate.exe, BdeUISrv.exe) + shortly after the registry modification + - Anomalous child processes or unusual command-line arguments + spawned from these legitimate processes + + Monitoring these patterns can serve as an early indicator of COM hijacking + attempts for lateral movement + particularly in environments where BitLocker is enabled or attackers already + have foothold access. + + MITRE ATT&CK Mappings: + - T1546.015: Event Triggered Execution: Component Object Model Hijacking + - TA0008: Lateral Movement + + Recommendations: + - Enable continuous monitoring of sensitive CLSID registry modifications + (especially under HKCU\Software\Classes\CLSID) + - Combine with EDR telemetry to detect anomalous process execution chains + involving BitLocker components + - Consider restricting write access to relevant registry paths where feasible narrative: | In August 2025, a novel lateral movement technique was published that abuses the BitLocker Network Unlock COM object From d53026d3a2ef2616239d2d378f79796e2c13390d Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Mon, 2 Feb 2026 18:04:08 +0330 Subject: [PATCH 08/12] Refactor lateral movement detection for BitLocker COM hijacking 6 items that needed correction were reviewed and corrected. --- ...l_movement_via_bitlocker_com_hijacking.yml | 169 +++++++++--------- 1 file changed, 84 insertions(+), 85 deletions(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index b8ff4c848c..10833a3d9a 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -17,97 +17,86 @@ references: - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ search: | (`wineventlog_security`) OR (`wineventlog_system`) \ - EventCode IN (7040, 4657, 4663, 4688) - [ search `wineventlog_system` EventCode=7040 service="Remote Registry" - | fields ComputerName - | dedup ComputerName - ] - | where - (EventCode=7040 AND service="Remote Registry") OR - (EventCode=4657 AND Operation_Type="New registry value created" - AND Object_Name LIKE "%CLSID%") OR - (EventCode=4663 AND Object_Name LIKE "%CLSID%") OR - (EventCode=4688 AND ( - (process_name="baaupdate.exe" AND parent_process_name="explorer.exe") OR - (process_name="BdeUISrv.exe" AND parent_process_name="svchost.exe") - )) - | eval srvchngstsTime=if(EventCode=7040, _time, null) - | eval regvlsetTime=if(EventCode=4657, _time, null) - | eval reghandleTime=if(EventCode=4663, _time, null) - | eval procexecTime=if(EventCode=4688, _time, null) - | eval ServiceMessage=if(EventCode=7040, Message, null) - | eval ProcessName_4663=if(EventCode=4663, process, null) - | eval CLSID_Path=if(EventCode IN (4657, 4663), Object_Name, null) + ((EventCode=7040 AND Service_Name="Remote Registry" AND Message="The start type of the Remote Registry service was changed*") \ + OR (EventCode=4657 AND OperationType="New registry value created" AND ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \ + OR (EventCode=4663 AND ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \ + OR (EventCode=4688 AND ((NewProcessName="baaupdate.exe" AND ParentProcessName="explorer.exe") \ + OR (NewProcessName="BdeUISrv.exe" AND ParentProcessName="svchost.exe")))) + + | eval Service_Change_Time=if(EventCode=7040, _time, null) + | eval Registry_Change_Time=if(EventCode=4657, _time, null) + | eval Handle_Creation_Time=if(EventCode=4663, _time, null) + | eval Process_Execution_Time=if(EventCode=4688, _time, null) + | eval Service_Message=if(EventCode=7040, Message, null) + | eval Process_Accessing_Registry=if(EventCode=4663, ProcessName, null) + | bin _time span=10m | stats - values(srvchngstsTime) AS srvchngstsTime - values(regvlsetTime) AS regvlsetTime - values(reghandleTime) AS reghandleTime - values(procexecTime) AS procexecTime - values(ServiceMessage) AS ServiceMessage - values(CLSID_Path) AS CLSID_Path - values(New_Value_Type) AS New_Value_Type - values(New_Value) AS New_Value - values(Access_Mask) AS AccessMask - values(ProcessName_4663) AS ProcessName_4663 - values(parent_process_id) AS parent_process_id - values(parent_process_name) AS parent_process_name - values(process_id) AS process_id - values(process_name) AS process_name - values(TimeDiff1) AS TimeDiff_Service_to_Registry - values(TimeDiff2) AS TimeDiff_Registry_to_Handle - values(TimeDiff3) AS TimeDiff_Handle_to_Process + values(Service_Change_Time) AS Service_Change_Time + values(Service_Message) AS Service_Message + values(Registry_Change_Time) AS Registry_Change_Time + values(ObjectName) AS CLSID_PATH + values(NewValue) AS Registry_value + values(NewValueType) AS Registry_Value_Type + values(Handle_Creation_Time) AS Handle_Creation_Time + values(Process_Accessing_Registry) AS Process_Accessing_Registry + values(Process_Execution_Time) AS Process_Execution_Time + values(ProcessId) AS ParentProcessId + values(ParentProcessName) AS ParentProcessName + values(NewProcessId) AS NewProcessId + values(NewProcessName) AS NewProcessName count(eval(EventCode=7040)) AS SrvEvts count(eval(EventCode=4657)) AS RegEvts count(eval(EventCode=4663)) AS HdlEvts count(eval(EventCode=4688)) AS ProcEvts - by ComputerName + by Computer | where SrvEvts>0 AND RegEvts>0 AND HdlEvts>0 AND ProcEvts>0 - | where isnotnull(CLSID_Path) - | eval srvchngstsTime=strftime(srvchngstsTime, "%Y-%m-%d %H:%M:%S") - | eval regvlsetTime=strftime(regvlsetTime, "%Y-%m-%d %H:%M:%S") - | eval reghandleTime=strftime(reghandleTime, "%Y-%m-%d %H:%M:%S") - | eval procexecTime=strftime(procexecTime, "%Y-%m-%d %H:%M:%S") - | table - ComputerName - srvchngstsTime - ServiceMessage - regvlsetTime - CLSID_Path - New_Value_Type - New_Value - reghandleTime - ProcessName_4663 - AccessMask - procexecTime - parent_process_id - parent_process_name - process_id - process_name - | rename - ComputerName AS "Host" - CLSID_Path AS "CLSID Path" - srvchngstsTime AS "Service Change Time" - ServiceMessage AS "Service Message" - regvlsetTime AS "Registry Change Time" - New_Value_Type AS "Registry Value Type" - New_Value AS "Registry Value" - reghandleTime AS "Handle Creation Time" - AccessMask AS "Access Mask" - ProcessName_4663 AS "Process Accessing Registry" - procexecTime AS "Process Execution Time" - parent_process_name AS "Parent Process" - process_name AS "Process Name" - parent_process_id AS "Parent Process ID" - process_id AS "Process ID" - | sort - "Service Change Time" + | eval Service_Change_Time=strftime(Service_Change_Time, "%Y-%m-%d %H:%M:%S") + | eval Registry_Change_Time=strftime(Registry_Change_Time, "%Y-%m-%d %H:%M:%S") + | eval Handle_Creation_Time=strftime(Handle_Creation_Time, "%Y-%m-%d %H:%M:%S") + | eval Process_Execution_Time=strftime(Process_Execution_Time, "%Y-%m-%d %H:%M:%S") + | sort - Service_Change_Time | `lateral_movement_via_bitlocker_com_hijacking_filter` how_to_implement: |- - Ensure Windows Event Logs are being ingested into Splunk, - particularly from the Security channel (wineventlog). - This detection requires fields like EventCode, ComputerName, - service, Operation_Type, Object_Name, process_name, parent_process_name, - Message, process, New_Value_Type, New_Value, Access_Mask, parent_process_id, - and process_id. Use Sysmon or Endpoint data models for enhanced coverage. + Ensure Windows Event Logs are being ingested into Splunk, particularly from the Security channel (wineventlog), + and System channel (for EventCode 7040).This detection requires fields like EventCode, ComputerName, Service_Name, + OperationType, ObjectName, NewProcessName, ParentProcessName, Message, ProcessName, NewValue, NewValueType, ProcessId, + ParentProcessId, and count values from stats.Use Sysmon or Endpoint data models for enhanced coverage. + For Event IDs 4657 and 4663 (registry modifications and access attempts), + auditing must be enabled as these events are not logged by default. + Follow these steps to configure auditing + 1. **Enable Object Access Auditing in Group Policy or Local Security Policy:** + - Open Local Security Policy (secpol.msc) or Group Policy Editor (gpedit.msc). + - Navigate to Computer Configuration > Windows Settings > Security Settings > + Advanced Audit Policy Configuration > Audit Policies > Object Access. + - Enable "Audit Registry" for Success and Failure (or specifically "Audit Handle Manipulation" + and "Audit Kernel Object" if needed for finer control). + 2. **Set System Access Control List (SACL) on the specific registry key:** + - Open Registry Editor (regedit.exe) as Administrator. + - Navigate to the target key: HKCU\Software\Classes\CLSID\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50} + (or the relevant subkeys where changes are expected). + - Right-click the key > Permissions > Advanced > Auditing tab. + - Click "Add" > Select Principal (e.g., "Everyone" or a specific user/group for broader monitoring). + - Set Type to "Success" and "Failure". + - Check permissions to audit, such as "Set Value", "Create Subkey", "Delete", "Query Value", "Enumerate Subkeys", + and "Write DAC" (adjust based on the attack vector; at minimum, include "Set Value" for 4657 and access operations for 4663). + - Apply the changes. This SACL must be set on the exact keys/values to generate events 4657 (for value modifications) and 4663 + (for handle access). + **Important Note on HKCU:** + Since this registry path is located under **HKEY_CURRENT_USER (HKCU)**, + the SACL is user-specific and applies only to the currently logged-on user profile. + To ensure comprehensive coverage on multi-user systems + (e.g., Terminal Servers, Remote Desktop Session Hosts, or shared workstations), + this SACL configuration must be applied **for each user profile** that needs to be monitored. + - One common approach is to log in as each relevant user + (or use a script/tool like PowerShell with scheduled tasks or logon scripts) to set the SACL in their HKCU hive. + - For domain environments, consider using Group Policy Preferences + (Registry) or logon scripts to automate applying these auditing settings per user. + - If monitoring all users is impractical, prioritize high-risk or privileged accounts. + Note SACLs are object-specific and do not propagate unless inheritance is enabled. + For domain-wide deployment, use Group Policy to apply these settings where possible. + Test the configuration by simulating registry changes (as the target user) to verify events are generated in the Security log. + For EventCode 7040 (service changes), ensure "Audit System Events" is enabled under Audit Policies > System Audit Policies > System. + Without these auditing configurations, the detection will not trigger for registry-related events. known_false_positives: |- Legitimate administrative activities may trigger this detection, such as software installations or system configurations involving @@ -127,8 +116,6 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: - analytic_story: - - BitLocker COM Hijacking Lateral Movement asset_type: Endpoint mitre_attack_id: - T1546.015 @@ -137,3 +124,15 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint +tests: + - name: True Positive Test security log + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log + source: XmlWinEventLog:security + sourcetype: XmlWinEventLog +tests: + - name: True Positive Test system log + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log + source: XmlWinEventLog:system + sourcetype: XmlWinEventLog From 6e8d570f6d5b7fb2b15aa1a50230b104c98f3f1f Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Mon, 2 Feb 2026 18:04:45 +0330 Subject: [PATCH 09/12] Delete stories/bitlocker_com_hijacking_lateral_movement.yml --- ...tlocker_com_hijacking_lateral_movement.yml | 59 ------------------- 1 file changed, 59 deletions(-) delete mode 100644 stories/bitlocker_com_hijacking_lateral_movement.yml diff --git a/stories/bitlocker_com_hijacking_lateral_movement.yml b/stories/bitlocker_com_hijacking_lateral_movement.yml deleted file mode 100644 index 9164a18f77..0000000000 --- a/stories/bitlocker_com_hijacking_lateral_movement.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: BitLocker COM Hijacking Lateral Movement -id: 9d1f4a2b-6e3c-4f7d-8a9b-1c5e7f8d3e4f -version: 1 -date: '2025-11-23' -author: Ali Atashgar (AAtashGar), Github Community -status: production -description: | - This Analytic Story focuses on detecting lateral movement via exploitation of BitLocker COM Hijacking - (MITRE ATT&CK Technique **T1546.015** – Event Triggered Execution: Component Object Model Hijacking) - a technique observed in 2025 campaigns. Attackers modify registry values under HKCU associated with - a specific BitLocker-related CLSID (`{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}`) - hijacking legitimate BitLocker processes such as `baaupdate.exe` or `BdeUISrv.exe`. - This allows malicious code to execute in the context of a high-privilege system process - facilitating lateral movement across Windows environments—especially - after gaining initial access to an endpoint. - - The detection correlates the following suspicious behaviors on the same host: - - Registry handle operations (e.g., SetInformation, - CreateFile) targeting the hijacked CLSID key in HKCU - - Subsequent execution of BitLocker-related binaries (baaupdate.exe, BdeUISrv.exe) - shortly after the registry modification - - Anomalous child processes or unusual command-line arguments - spawned from these legitimate processes - - Monitoring these patterns can serve as an early indicator of COM hijacking - attempts for lateral movement - particularly in environments where BitLocker is enabled or attackers already - have foothold access. - - MITRE ATT&CK Mappings: - - T1546.015: Event Triggered Execution: Component Object Model Hijacking - - TA0008: Lateral Movement - - Recommendations: - - Enable continuous monitoring of sensitive CLSID registry modifications - (especially under HKCU\Software\Classes\CLSID) - - Combine with EDR telemetry to detect anomalous process execution chains - involving BitLocker components - - Consider restricting write access to relevant registry paths where feasible -narrative: | - In August 2025, a novel lateral movement technique was published that abuses - the BitLocker Network Unlock COM object - (CLSID {A7A63E5C-3877-4840-8727-C1EA9D7A4D50}). - Attackers enable RemoteRegistry,write a malicious DLL path to InprocServer32 - under HKCU\Software\Classes\CLSID for logged-on users, and trigger execution - via baaupdate.exe (from explorer.exe) or BdeUISrv.exe (from svchost.exe). - This analytic story provides detection for this advanced persistence and - lateral movement technique. -references: - - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ - - https://github.com/rtecCyberSec/BitlockMove -tags: - category: - - Adversary Tactics - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - usecase: Advanced Threat Detection From 9bd7ce62bb8568b968f6a447cedf0ee826bf512b Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Tue, 10 Feb 2026 16:58:08 +0330 Subject: [PATCH 10/12] YAML parsing error fixed YAML parsing error fixed (indent in search block), added ---, changed to LF line endings. CI should pass now. Ready for re-review! --- ...l_movement_via_bitlocker_com_hijacking.yml | 143 +++++++++++------- 1 file changed, 87 insertions(+), 56 deletions(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index 10833a3d9a..ae2316e147 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -17,19 +17,22 @@ references: - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ search: | (`wineventlog_security`) OR (`wineventlog_system`) \ - ((EventCode=7040 AND Service_Name="Remote Registry" AND Message="The start type of the Remote Registry service was changed*") \ - OR (EventCode=4657 AND OperationType="New registry value created" AND ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \ + ((EventCode=7040 AND Service_Name="Remote Registry" AND \ + Message="The start type of the Remote Registry service was changed*") \ + OR (EventCode=4657 AND OperationType="New registry value created" AND \ + ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \ OR (EventCode=4663 AND ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \ - OR (EventCode=4688 AND ((NewProcessName="baaupdate.exe" AND ParentProcessName="explorer.exe") \ - OR (NewProcessName="BdeUISrv.exe" AND ParentProcessName="svchost.exe")))) + OR (EventCode=4688 AND ((NewProcessName="baaupdate.exe" AND \ + ParentProcessName="explorer.exe") OR (NewProcessName="BdeUISrv.exe" AND \ + ParentProcessName="svchost.exe")))) - | eval Service_Change_Time=if(EventCode=7040, _time, null) - | eval Registry_Change_Time=if(EventCode=4657, _time, null) - | eval Handle_Creation_Time=if(EventCode=4663, _time, null) - | eval Process_Execution_Time=if(EventCode=4688, _time, null) - | eval Service_Message=if(EventCode=7040, Message, null) - | eval Process_Accessing_Registry=if(EventCode=4663, ProcessName, null) - | bin _time span=10m + | eval Service_Change_Time=if(EventCode=7040, _time, null) + | eval Registry_Change_Time=if(EventCode=4657, _time, null) + | eval Handle_Creation_Time=if(EventCode=4663, _time, null) + | eval Process_Execution_Time=if(EventCode=4688, _time, null) + | eval Service_Message=if(EventCode=7040, Message, null) + | eval Process_Accessing_Registry=if(EventCode=4663, ProcessName, null) + | bin _time span=10m | stats values(Service_Change_Time) AS Service_Change_Time values(Service_Message) AS Service_Message @@ -39,7 +42,7 @@ search: | values(NewValueType) AS Registry_Value_Type values(Handle_Creation_Time) AS Handle_Creation_Time values(Process_Accessing_Registry) AS Process_Accessing_Registry - values(Process_Execution_Time) AS Process_Execution_Time + values(Process_Execution_Time) AS Process_Execution_Time values(ProcessId) AS ParentProcessId values(ParentProcessName) AS ParentProcessName values(NewProcessId) AS NewProcessId @@ -51,70 +54,97 @@ search: | by Computer | where SrvEvts>0 AND RegEvts>0 AND HdlEvts>0 AND ProcEvts>0 | eval Service_Change_Time=strftime(Service_Change_Time, "%Y-%m-%d %H:%M:%S") - | eval Registry_Change_Time=strftime(Registry_Change_Time, "%Y-%m-%d %H:%M:%S") - | eval Handle_Creation_Time=strftime(Handle_Creation_Time, "%Y-%m-%d %H:%M:%S") - | eval Process_Execution_Time=strftime(Process_Execution_Time, "%Y-%m-%d %H:%M:%S") + | eval Registry_Change_Time \ + =strftime(Registry_Change_Time, "%Y-%m-%d %H:%M:%S") + | eval Handle_Creation_Time \ + =strftime(Handle_Creation_Time, "%Y-%m-%d %H:%M:%S") + | eval Process_Execution_Time \ + =strftime(Process_Execution_Time, "%Y-%m-%d %H:%M:%S") | sort - Service_Change_Time | `lateral_movement_via_bitlocker_com_hijacking_filter` how_to_implement: |- - Ensure Windows Event Logs are being ingested into Splunk, particularly from the Security channel (wineventlog), - and System channel (for EventCode 7040).This detection requires fields like EventCode, ComputerName, Service_Name, - OperationType, ObjectName, NewProcessName, ParentProcessName, Message, ProcessName, NewValue, NewValueType, ProcessId, - ParentProcessId, and count values from stats.Use Sysmon or Endpoint data models for enhanced coverage. + Ensure Windows Event Logs are being ingested into Splunk, particularly from + the Security channel (wineventlog),and System channel (for EventCode 7040). + This detection requires fields like EventCode, ComputerName, Service_Name, + OperationType, ObjectName, NewProcessName, ParentProcessName, Message, + ProcessName, NewValue, NewValueType, ProcessId,ParentProcessId, + and count values from stats. + Use Sysmon or Endpoint data models for enhanced coverage. For Event IDs 4657 and 4663 (registry modifications and access attempts), auditing must be enabled as these events are not logged by default. Follow these steps to configure auditing 1. **Enable Object Access Auditing in Group Policy or Local Security Policy:** - - Open Local Security Policy (secpol.msc) or Group Policy Editor (gpedit.msc). + - Open Local Security Policy (secpol.msc) or Group Policy Editor (gpedit.msc) - Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access. - - Enable "Audit Registry" for Success and Failure (or specifically "Audit Handle Manipulation" - and "Audit Kernel Object" if needed for finer control). + - Enable "Audit Registry" for Success and Failure + (or specifically "Audit Handle Manipulation" and "Audit Kernel Object" + if needed for finer control). 2. **Set System Access Control List (SACL) on the specific registry key:** - Open Registry Editor (regedit.exe) as Administrator. - - Navigate to the target key: HKCU\Software\Classes\CLSID\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50} + - Navigate to the target key: + HKCU\Software\Classes\CLSID\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50} (or the relevant subkeys where changes are expected). - Right-click the key > Permissions > Advanced > Auditing tab. - - Click "Add" > Select Principal (e.g., "Everyone" or a specific user/group for broader monitoring). + - Click "Add" > Select Principal + (e.g., "Everyone" or a specific user/group for broader monitoring). - Set Type to "Success" and "Failure". - - Check permissions to audit, such as "Set Value", "Create Subkey", "Delete", "Query Value", "Enumerate Subkeys", - and "Write DAC" (adjust based on the attack vector; at minimum, include "Set Value" for 4657 and access operations for 4663). - - Apply the changes. This SACL must be set on the exact keys/values to generate events 4657 (for value modifications) and 4663 - (for handle access). - **Important Note on HKCU:** + - Check permissions to audit, such as "Set Value", "Create Subkey", "Delete", + "Query Value", "Enumerate Subkeys",and "Write DAC" + (adjust based on the attack vector; at minimum, include "Set Value" for 4657 + and access operations for 4663). + - Apply the changes. This SACL must be set on the exact keys/values + to generate events 4657 (for value modifications) + and 4663 (for handle access). + **Important Note on HKCU:** Since this registry path is located under **HKEY_CURRENT_USER (HKCU)**, - the SACL is user-specific and applies only to the currently logged-on user profile. + the SACL is user-specific and applies only to the currently + logged-on user profile. To ensure comprehensive coverage on multi-user systems - (e.g., Terminal Servers, Remote Desktop Session Hosts, or shared workstations), - this SACL configuration must be applied **for each user profile** that needs to be monitored. + (e.g., Terminal Servers, Remote Desktop Session Hosts,or shared workstations) + this SACL configuration must be applied **for each user profile** + that needs to be monitored. - One common approach is to log in as each relevant user - (or use a script/tool like PowerShell with scheduled tasks or logon scripts) to set the SACL in their HKCU hive. + (or use a script/tool like PowerShell + with scheduled tasks or logon scripts) + to set the SACL in their HKCU hive. - For domain environments, consider using Group Policy Preferences - (Registry) or logon scripts to automate applying these auditing settings per user. - - If monitoring all users is impractical, prioritize high-risk or privileged accounts. - Note SACLs are object-specific and do not propagate unless inheritance is enabled. - For domain-wide deployment, use Group Policy to apply these settings where possible. - Test the configuration by simulating registry changes (as the target user) to verify events are generated in the Security log. - For EventCode 7040 (service changes), ensure "Audit System Events" is enabled under Audit Policies > System Audit Policies > System. - Without these auditing configurations, the detection will not trigger for registry-related events. + (Registry) or logon scripts to automate applying these + auditing settings per user. + - If monitoring all users is impractical, prioritize high-risk or + privileged accounts. + Note SACLs are object-specific and do not propagate + unless inheritance is enabled.For domain-wide deployment, + use Group Policy to apply these settings where possible. + Test the configuration by simulating registry changes + (as the target user) to verify events are generated in the Security log. + For EventCode 7040 (service changes), ensure "Audit System Events" + is enabled under Audit Policies > System Audit Policies > System. + Without these auditing configurations, + the detection will not trigger for registry-related events. known_false_positives: |- Legitimate administrative activities may trigger this detection, such as software installations or system configurations involving Remote Registry and BitLocker components. Tune based on environment. drilldown_searches: -- name: View the detection results for - "$Host$" - search: '%original_detection_search% | search Host = "$Host$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$Host$" - starthoursago=168 | stats count min(_time) as firstTime max(_time) - as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk - Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$Host$" + search: '%original_detection_search% | search Host = "$Host$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$Host$" + search: | + | from datamodel Risk.All_Risk | search normalized_risk_object="$Host$" + starthoursago=168 \ + | stats count min(_time) as firstTime max(_time) \ + as lastTime values(search_name) as "Search Name" values(risk_message) \ + as "Risk Message" values(analyticstories) as "Analytic Stories" \ + values(annotations._all) as "Annotations" \ + values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" \ + by normalized_risk_object + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: asset_type: Endpoint mitre_attack_id: @@ -127,12 +157,13 @@ tags: tests: - name: True Positive Test security log attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log + - data: | + https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log source: XmlWinEventLog:security sourcetype: XmlWinEventLog -tests: - name: True Positive Test system log attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log + - data: | + https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log source: XmlWinEventLog:system sourcetype: XmlWinEventLog From 63c4d7aa930447bbffa158166d5557d6006524aa Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Sat, 21 Feb 2026 06:24:42 +0330 Subject: [PATCH 11/12] fix: Validation Issues --- .../lateral_movement_via_bitlocker_com_hijacking.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index ae2316e147..0f16fc3dd2 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -154,16 +154,16 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint -tests: + tests: - name: True Positive Test security log attack_data: - - data: | + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log source: XmlWinEventLog:security sourcetype: XmlWinEventLog - name: True Positive Test system log attack_data: - - data: | + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log source: XmlWinEventLog:system sourcetype: XmlWinEventLog From 0a133b7078cea015ff74704e30621ab179c4bcaf Mon Sep 17 00:00:00 2001 From: Ali AtashGar Date: Sun, 22 Feb 2026 00:27:29 +0330 Subject: [PATCH 12/12] fix tests section --- .../endpoint/lateral_movement_via_bitlocker_com_hijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml index 0f16fc3dd2..32d5ee1903 100644 --- a/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml +++ b/detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml @@ -154,7 +154,7 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - tests: +tests: - name: True Positive Test security log attack_data: - data: