detection Lateral Movement via BitLocker COM Hijacking

detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml

@@ -0,0 +1,169 @@
+name: Lateral Movement via BitLocker COM Hijacking
+id: 990d5907-c022-4358-9ada-f6e5e69514e8
+version: 1
+date: '2025-09-28'
+author: Ali Atashgar (AAtashGar), Github Community
+status: production
+description: |-
+  This detection identifies potential lateral movement activities
+  using BitLocker COM hijacking techniques. It monitors for changes
+  to the Remote Registry service, new registry values in CLSID paths,
+  handle operations on CLSIDs, and executions of specific processes like
+  baaupdate.exe and BdeUISrv.exe. These events are correlated by host to
+  detect sequences indicative of this attack vector.
+type: TTP
+references:
+  - https://medium.com/@seripallychetan/bitlocker-com-hijack-a-new-frontier-in-lateral-movement-tactics-ac5039b18dc6
+  - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/
+search: |
+  (`wineventlog_security`) OR (`wineventlog_system`) \
+  ((EventCode=7040 AND Service_Name="Remote Registry" AND \
+  Message="The start type of the Remote Registry service was changed*") \
+  OR (EventCode=4657 AND OperationType="New registry value created" AND \
+  ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \
+  OR (EventCode=4663 AND ObjectName="*A7A63E5C-3877-4840-8727-C1EA9D7A4D50*") \
+  OR (EventCode=4688 AND ((NewProcessName="baaupdate.exe" AND \
+  ParentProcessName="explorer.exe") OR (NewProcessName="BdeUISrv.exe" AND \
+  ParentProcessName="svchost.exe"))))
+
+  | eval Service_Change_Time=if(EventCode=7040, _time, null)
+  | eval Registry_Change_Time=if(EventCode=4657, _time, null)
+  | eval Handle_Creation_Time=if(EventCode=4663, _time, null)
+  | eval Process_Execution_Time=if(EventCode=4688, _time, null)
+  | eval Service_Message=if(EventCode=7040, Message, null)
+  | eval Process_Accessing_Registry=if(EventCode=4663, ProcessName, null)
+  | bin _time span=10m
+  | stats
+      values(Service_Change_Time) AS Service_Change_Time
+      values(Service_Message) AS Service_Message
+      values(Registry_Change_Time) AS Registry_Change_Time
+      values(ObjectName) AS CLSID_PATH
+      values(NewValue) AS Registry_value
+      values(NewValueType) AS Registry_Value_Type
+      values(Handle_Creation_Time) AS Handle_Creation_Time
+      values(Process_Accessing_Registry) AS Process_Accessing_Registry
+      values(Process_Execution_Time) AS Process_Execution_Time
+      values(ProcessId) AS ParentProcessId
+      values(ParentProcessName) AS ParentProcessName
+      values(NewProcessId) AS NewProcessId
+      values(NewProcessName) AS NewProcessName
+      count(eval(EventCode=7040)) AS SrvEvts
+      count(eval(EventCode=4657)) AS RegEvts
+      count(eval(EventCode=4663)) AS HdlEvts
+      count(eval(EventCode=4688)) AS ProcEvts
+      by Computer
+  | where SrvEvts>0 AND RegEvts>0 AND HdlEvts>0 AND ProcEvts>0
+  | eval Service_Change_Time=strftime(Service_Change_Time, "%Y-%m-%d %H:%M:%S")
+  | eval Registry_Change_Time \
+  =strftime(Registry_Change_Time, "%Y-%m-%d %H:%M:%S")
+  | eval Handle_Creation_Time \
+  =strftime(Handle_Creation_Time, "%Y-%m-%d %H:%M:%S")
+  | eval Process_Execution_Time \
+  =strftime(Process_Execution_Time, "%Y-%m-%d %H:%M:%S")
+  | sort - Service_Change_Time
+  | `lateral_movement_via_bitlocker_com_hijacking_filter`
+how_to_implement: |-
+  Ensure Windows Event Logs are being ingested into Splunk, particularly from
+  the Security channel (wineventlog),and System channel (for EventCode 7040).
+  This detection requires fields like EventCode, ComputerName, Service_Name,
+  OperationType, ObjectName, NewProcessName, ParentProcessName, Message,
+  ProcessName, NewValue, NewValueType, ProcessId,ParentProcessId,
+  and count values from stats.
+  Use Sysmon or Endpoint data models for enhanced coverage.
+  For Event IDs 4657 and 4663 (registry modifications and access attempts),
+  auditing must be enabled as these events are not logged by default.
+  Follow these steps to configure auditing
+  1. **Enable Object Access Auditing in Group Policy or Local Security Policy:**
+   - Open Local Security Policy (secpol.msc) or Group Policy Editor (gpedit.msc)
+   - Navigate to Computer Configuration > Windows Settings > Security Settings >
+     Advanced Audit Policy Configuration > Audit Policies > Object Access.
+   - Enable "Audit Registry" for Success and Failure
+   (or specifically "Audit Handle Manipulation" and "Audit Kernel Object"
+   if needed for finer control).
+  2. **Set System Access Control List (SACL) on the specific registry key:**
+   - Open Registry Editor (regedit.exe) as Administrator.
+   - Navigate to the target key:
+   HKCU\Software\Classes\CLSID\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}
+     (or the relevant subkeys where changes are expected).
+   - Right-click the key > Permissions > Advanced > Auditing tab.
+   - Click "Add" > Select Principal
+   (e.g., "Everyone" or a specific user/group for broader monitoring).
+   - Set Type to "Success" and "Failure".
+   - Check permissions to audit, such as "Set Value", "Create Subkey", "Delete",
+   "Query Value", "Enumerate Subkeys",and "Write DAC"
+   (adjust based on the attack vector; at minimum, include "Set Value" for 4657
+   and access operations for 4663).
+   - Apply the changes. This SACL must be set on the exact keys/values
+   to generate events 4657 (for value modifications)
+   and 4663 (for handle access).
+  **Important Note on HKCU:**
+    Since this registry path is located under **HKEY_CURRENT_USER (HKCU)**,
+    the SACL is user-specific and applies only to the currently
+    logged-on user profile.
+    To ensure comprehensive coverage on multi-user systems
+   (e.g., Terminal Servers, Remote Desktop Session Hosts,or shared workstations)
+   this SACL configuration must be applied **for each user profile**
+   that needs to be monitored.
+   - One common approach is to log in as each relevant user
+     (or use a script/tool like PowerShell
+     with scheduled tasks or logon scripts)
+     to set the SACL in their HKCU hive.
+   - For domain environments, consider using Group Policy Preferences
+     (Registry) or logon scripts to automate applying these
+     auditing settings per user.
+   - If monitoring all users is impractical, prioritize high-risk or
+   privileged accounts.
+  Note SACLs are object-specific and do not propagate
+  unless inheritance is enabled.For domain-wide deployment,
+  use Group Policy to apply these settings where possible.
+  Test the configuration by simulating registry changes
+  (as the target user) to verify events are generated in the Security log.
+  For EventCode 7040 (service changes), ensure "Audit System Events"
+  is enabled under Audit Policies > System Audit Policies > System.
+  Without these auditing configurations,
+  the detection will not trigger for registry-related events.
+known_false_positives: |-
+  Legitimate administrative activities may trigger this detection,
+  such as software installations or system configurations involving
+  Remote Registry and BitLocker components. Tune based on environment.
+drilldown_searches:
+  - name: View the detection results for - "$Host$"
+    search: '%original_detection_search% | search  Host = "$Host$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$Host$"
+    search: |
+      | from datamodel Risk.All_Risk | search normalized_risk_object="$Host$"
+      starthoursago=168 \
+      | stats count min(_time) as firstTime max(_time) \
+      as lastTime values(search_name) as "Search Name" values(risk_message) \
+      as "Risk Message" values(analyticstories) as "Analytic Stories" \
+      values(annotations._all) as "Annotations" \
+      values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" \
+      by normalized_risk_object
+      | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+tags:
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1546.015
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+  - name: True Positive Test security log
+    attack_data:
+      - data:
+          https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log
+        source: XmlWinEventLog:security
+        sourcetype: XmlWinEventLog
+  - name: True Positive Test system log
+    attack_data:
+      - data:
+          https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log
+        source: XmlWinEventLog:system
+        sourcetype: XmlWinEventLog