detection Lateral Movement via BitLocker COM Hijacking

detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml

@@ -0,0 +1,139 @@
+name: Lateral Movement via BitLocker COM Hijacking
+id: 990d5907-c022-4358-9ada-f6e5e69514e8
+version: 1
+date: '2025-09-28'
+author: Ali Atashgar (AAtashGar), Github Community
+status: production
+description: |-
+  This detection identifies potential lateral movement activities
+  using BitLocker COM hijacking techniques. It monitors for changes
+  to the Remote Registry service, new registry values in CLSID paths,
+  handle operations on CLSIDs, and executions of specific processes like
+  baaupdate.exe and BdeUISrv.exe. These events are correlated by host to
+  detect sequences indicative of this attack vector.
+type: TTP
+references:
+  - https://medium.com/@seripallychetan/bitlocker-com-hijack-a-new-frontier-in-lateral-movement-tactics-ac5039b18dc6
+  - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/
+search: |
+  (`wineventlog_security`) OR (`wineventlog_system`) \
+      EventCode IN (7040, 4657, 4663, 4688)
+      [ search `wineventlog_system` EventCode=7040 service="Remote Registry"
+      | fields ComputerName
+      | dedup ComputerName
+          ]
+  | where
+      (EventCode=7040 AND service="Remote Registry") OR
+      (EventCode=4657 AND Operation_Type="New registry value created"
+      AND Object_Name LIKE "%CLSID%") OR
+      (EventCode=4663 AND Object_Name LIKE "%CLSID%") OR
+      (EventCode=4688 AND (
+      (process_name="baaupdate.exe" AND parent_process_name="explorer.exe") OR
+      (process_name="BdeUISrv.exe" AND parent_process_name="svchost.exe")
+      ))
+  | eval srvchngstsTime=if(EventCode=7040, _time, null)
+  | eval regvlsetTime=if(EventCode=4657, _time, null)
+  | eval reghandleTime=if(EventCode=4663, _time, null)
+  | eval procexecTime=if(EventCode=4688, _time, null)
+  | eval ServiceMessage=if(EventCode=7040, Message, null)
+  | eval ProcessName_4663=if(EventCode=4663, process, null)
+  | eval CLSID_Path=if(EventCode IN (4657, 4663), Object_Name, null)
+  | stats
+      values(srvchngstsTime) AS srvchngstsTime
+      values(regvlsetTime) AS regvlsetTime
+      values(reghandleTime) AS reghandleTime
+      values(procexecTime) AS procexecTime
+      values(ServiceMessage) AS ServiceMessage
+      values(CLSID_Path) AS CLSID_Path
+      values(New_Value_Type) AS New_Value_Type
+      values(New_Value) AS New_Value
+      values(Access_Mask) AS AccessMask
+      values(ProcessName_4663) AS ProcessName_4663
+      values(parent_process_id) AS parent_process_id
+      values(parent_process_name) AS parent_process_name
+      values(process_id) AS process_id
+      values(process_name) AS process_name
+      values(TimeDiff1) AS TimeDiff_Service_to_Registry
+      values(TimeDiff2) AS TimeDiff_Registry_to_Handle
+      values(TimeDiff3) AS TimeDiff_Handle_to_Process
+      count(eval(EventCode=7040)) AS SrvEvts
+      count(eval(EventCode=4657)) AS RegEvts
+      count(eval(EventCode=4663)) AS HdlEvts
+      count(eval(EventCode=4688)) AS ProcEvts
+      by ComputerName
+  | where SrvEvts>0 AND RegEvts>0 AND HdlEvts>0 AND ProcEvts>0
+  | where isnotnull(CLSID_Path)
+  | eval srvchngstsTime=strftime(srvchngstsTime, "%Y-%m-%d %H:%M:%S")
+  | eval regvlsetTime=strftime(regvlsetTime, "%Y-%m-%d %H:%M:%S")
+  | eval reghandleTime=strftime(reghandleTime, "%Y-%m-%d %H:%M:%S")
+  | eval procexecTime=strftime(procexecTime, "%Y-%m-%d %H:%M:%S")
+  | table
+      ComputerName
+      srvchngstsTime
+      ServiceMessage
+      regvlsetTime
+      CLSID_Path
+      New_Value_Type
+      New_Value
+      reghandleTime
+      ProcessName_4663
+      AccessMask
+      procexecTime
+      parent_process_id
+      parent_process_name
+      process_id
+      process_name
+  | rename
+      ComputerName AS "Host"
+      CLSID_Path AS "CLSID Path"
+      srvchngstsTime AS "Service Change Time"
+      ServiceMessage AS "Service Message"
+      regvlsetTime AS "Registry Change Time"
+      New_Value_Type AS "Registry Value Type"
+      New_Value AS "Registry Value"
+      reghandleTime AS "Handle Creation Time"
+      AccessMask AS "Access Mask"
+      ProcessName_4663 AS "Process Accessing Registry"
+      procexecTime AS "Process Execution Time"
+      parent_process_name AS "Parent Process"
+      process_name AS "Process Name"
+      parent_process_id AS "Parent Process ID"
+      process_id AS "Process ID"
+  | sort - "Service Change Time"
+  | `lateral_movement_via_bitlocker_com_hijacking_filter`
+how_to_implement: |-
+  Ensure Windows Event Logs are being ingested into Splunk,
+  particularly from the Security channel (wineventlog).
+  This detection requires fields like EventCode, ComputerName,
+  service, Operation_Type, Object_Name, process_name, parent_process_name,
+  Message, process, New_Value_Type, New_Value, Access_Mask, parent_process_id,
+  and process_id. Use Sysmon or Endpoint data models for enhanced coverage.
+known_false_positives: |-
+  Legitimate administrative activities may trigger this detection,
+  such as software installations or system configurations involving
+  Remote Registry and BitLocker components. Tune based on environment.
+drilldown_searches:
+- name: View the detection results for - "$Host$"
+  search: '%original_detection_search% | search  Host = "$Host$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$Host$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$Host$"
+    starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+    - BitLocker COM Hijacking Lateral Movement
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1546.015
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint

stories/bitlocker_com_hijacking_lateral_movement.yml

@@ -0,0 +1,59 @@
+name: BitLocker COM Hijacking Lateral Movement
+id: 9d1f4a2b-6e3c-4f7d-8a9b-1c5e7f8d3e4f
+version: 1
+date: '2025-11-23'
+author: Ali Atashgar (AAtashGar), Github Community
+status: production
+description: |
+  This Analytic Story focuses on detecting lateral movement via exploitation of BitLocker COM Hijacking
+  (MITRE ATT&CK Technique **T1546.015** – Event Triggered Execution: Component Object Model Hijacking)
+  a technique observed in 2025 campaigns. Attackers modify registry values under HKCU associated with
+  a specific BitLocker-related CLSID (`{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}`)
+  hijacking legitimate BitLocker processes such as `baaupdate.exe` or `BdeUISrv.exe`.
+  This allows malicious code to execute in the context of a high-privilege system process
+  facilitating lateral movement across Windows environments—especially
+  after gaining initial access to an endpoint.
+
+  The detection correlates the following suspicious behaviors on the same host:
+  - Registry handle operations (e.g., SetInformation,
+  CreateFile) targeting the hijacked CLSID key in HKCU
+  - Subsequent execution of BitLocker-related binaries (baaupdate.exe, BdeUISrv.exe)
+  shortly after the registry modification
+  - Anomalous child processes or unusual command-line arguments
+  spawned from these legitimate processes
+
+  Monitoring these patterns can serve as an early indicator of COM hijacking
+  attempts for lateral movement 
+  particularly in environments where BitLocker is enabled or attackers already
+  have foothold access.
+
+  MITRE ATT&CK Mappings:
+  - T1546.015: Event Triggered Execution: Component Object Model Hijacking
+  - TA0008: Lateral Movement
+
+  Recommendations:
+  - Enable continuous monitoring of sensitive CLSID registry modifications
+  (especially under HKCU\Software\Classes\CLSID)
+  - Combine with EDR telemetry to detect anomalous process execution chains
+  involving BitLocker components
+  - Consider restricting write access to relevant registry paths where feasible
+narrative: |
+  In August 2025, a novel lateral movement technique was published that abuses
+  the BitLocker Network Unlock COM object
+  (CLSID {A7A63E5C-3877-4840-8727-C1EA9D7A4D50}).
+  Attackers enable RemoteRegistry,write a malicious DLL path to InprocServer32
+  under HKCU\Software\Classes\CLSID for logged-on users, and trigger execution
+  via baaupdate.exe (from explorer.exe) or BdeUISrv.exe (from svchost.exe).
+  This analytic story provides detection for this advanced persistence and
+  lateral movement technique.
+references:
+  - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/
+  - https://github.com/rtecCyberSec/BitlockMove
+tags:
+  category:
+    - Adversary Tactics
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  usecase: Advanced Threat Detection