Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Sigma rule (View on GitHub)
1title: Suspicious Reg Add BitLocker
2id: 0e0255bf-2548-47b8-9582-c0955c9283f5
3status: test
4description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
5references:
6 - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
7author: frack113
8date: 2021-11-15
9modified: 2022-09-09
10tags:
11 - attack.impact
12 - attack.t1486
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - 'REG'
20 - 'ADD'
21 - '\SOFTWARE\Policies\Microsoft\FVE'
22 - '/v'
23 - '/f'
24 CommandLine|contains:
25 - 'EnableBDEWithNoTPM'
26 - 'UseAdvancedStartup'
27 - 'UseTPM'
28 - 'UseTPMKey'
29 - 'UseTPMKeyPIN'
30 - 'RecoveryKeyMessageSource'
31 - 'UseTPMPIN'
32 - 'RecoveryKeyMessage'
33 condition: selection
34falsepositives:
35 - Unlikely
36level: high
References
-
In late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case wer…
Read More
Related rules
- AWS EC2 Disable EBS Encryption
- BlueSky Ransomware Artefacts
- LockerGoga Ransomware Activity
- Microsoft 365 - Potential Ransomware Activity
- Potential Conti Ransomware Activity