detection Lateral Movement via BitLocker COM Hijacking #3801
Conversation
AAtashGar
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
|
Hey @AAtashGar before reviewing this. Just wanted to ask any particular reason you want this as experimental instead of production. From your screenshot it looks like you have the data already. Simply export it as raw and then upload it to https://github.com/splunk/attack_data as LFS with a corresponding yaml definition. (See old PRs for reference). Or if you want you could upload the raw logs here and we will take care of it, if we deem the rule ineteresting. |
|
Dear @nasbench Should I change status to production after adding the data? Happy to upload raw logs here if needed. Let me know if there's anything else! |
|
@AAtashGar in this repo context. Production means tested rules aka with logs and experimental means untested. So yes once you upload the data to attack data and Link it you can switch the status and I can start reviewing it. Cheers |
|
@nasbench Perfect, thanks for clarifying! Got it |
|
@nasbench Done! attack_data PR created with LFS logs and YAML definition: Status changed to Ready for review — thanks! |
AAtashGar
changed the title
detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/lateral_movement_via_bitlocker_com_hijacking.yml
Outdated
Show resolved
Hide resolved
Expanded the analytic story to provide detailed detection strategies for BitLocker COM hijacking lateral movement, including MITRE ATT&CK mappings and recommendations for monitoring and prevention.
|
Thanks for your help, I changed the things you said, I hope I understood the change regarding the author correctly |
| (`wineventlog_security`) OR (`wineventlog_system`) \ | ||
| EventCode IN (7040, 4657, 4663, 4688) | ||
| [ search `wineventlog_system` EventCode=7040 service="Remote Registry" | ||
| | fields ComputerName | ||
| | dedup ComputerName | ||
| ] | ||
| | where | ||
| (EventCode=7040 AND service="Remote Registry") OR | ||
| (EventCode=4657 AND Operation_Type="New registry value created" | ||
| AND Object_Name LIKE "%CLSID%") OR | ||
| (EventCode=4663 AND Object_Name LIKE "%CLSID%") OR | ||
| (EventCode=4688 AND ( | ||
| (process_name="baaupdate.exe" AND parent_process_name="explorer.exe") OR | ||
| (process_name="BdeUISrv.exe" AND parent_process_name="svchost.exe") | ||
| )) |
There was a problem hiding this comment.
This can be optimized by moving the filter early as well as adding conditions to the subsearch to look only for changes to the status of the service to Enabled from Disabled.
Also the field you are using are not the XML fields but the General view field. Which we do not recommend using.
Now for the condition, you are filtering for any CLSID which is not the case of the attack. But instead it targets specific CLSID. You should filter on those.
Also keep in mind that EID 4663/4657 requires a dedicated SACL in the key/value to trigger.
You need better filtering to avoid non-related matches.
| | stats | ||
| values(srvchngstsTime) AS srvchngstsTime | ||
| values(regvlsetTime) AS regvlsetTime | ||
| values(reghandleTime) AS reghandleTime | ||
| values(procexecTime) AS procexecTime | ||
| values(ServiceMessage) AS ServiceMessage | ||
| values(CLSID_Path) AS CLSID_Path | ||
| values(New_Value_Type) AS New_Value_Type | ||
| values(New_Value) AS New_Value | ||
| values(Access_Mask) AS AccessMask | ||
| values(ProcessName_4663) AS ProcessName_4663 | ||
| values(parent_process_id) AS parent_process_id | ||
| values(parent_process_name) AS parent_process_name | ||
| values(process_id) AS process_id | ||
| values(process_name) AS process_name | ||
| values(TimeDiff1) AS TimeDiff_Service_to_Registry | ||
| values(TimeDiff2) AS TimeDiff_Registry_to_Handle | ||
| values(TimeDiff3) AS TimeDiff_Handle_to_Process | ||
| count(eval(EventCode=7040)) AS SrvEvts | ||
| count(eval(EventCode=4657)) AS RegEvts | ||
| count(eval(EventCode=4663)) AS HdlEvts | ||
| count(eval(EventCode=4688)) AS ProcEvts | ||
| by ComputerName |
There was a problem hiding this comment.
The grouping needs to also take into account a timespan to be more efficient since these events could occur unrelated. Add a time span of 10 minutes or so to be more efficient.
| | eval srvchngstsTime=if(EventCode=7040, _time, null) | ||
| | eval regvlsetTime=if(EventCode=4657, _time, null) | ||
| | eval reghandleTime=if(EventCode=4663, _time, null) | ||
| | eval procexecTime=if(EventCode=4688, _time, null) | ||
| | eval ServiceMessage=if(EventCode=7040, Message, null) | ||
| | eval ProcessName_4663=if(EventCode=4663, process, null) | ||
| | eval CLSID_Path=if(EventCode IN (4657, 4663), Object_Name, null) |
There was a problem hiding this comment.
You could choose the perfect names here instead of using a rename later, just use quotes if the name contains spaces
| how_to_implement: |- | ||
| Ensure Windows Event Logs are being ingested into Splunk, | ||
| particularly from the Security channel (wineventlog). | ||
| This detection requires fields like EventCode, ComputerName, | ||
| service, Operation_Type, Object_Name, process_name, parent_process_name, | ||
| Message, process, New_Value_Type, New_Value, Access_Mask, parent_process_id, | ||
| and process_id. Use Sysmon or Endpoint data models for enhanced coverage. |
There was a problem hiding this comment.
Since you are using event id that require a dedicated audit policy and SACL configured. You have to provide these details in here.
What policy needs to be enabled as well as the appropriate SACLs to be configured to capture this
| analytic_story: | ||
| - BitLocker COM Hijacking Lateral Movement |
There was a problem hiding this comment.
I do not think an analytic story is necessary, since this is only one detection and 1 type of attack on this. If it was more then it would make more sense.
So in my opinion you could drop this. And move some of the details into the description of this detection.
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: endpoint |
There was a problem hiding this comment.
You will have to add an appropriate test section that points to the data that you uploaded.
Take a look at the detection hosted in this repo for examples.
6 items that needed correction were reviewed and corrected.
|
Thanks for your advice, I checked and corrected everything. |
3 participants
Add detection for BitLocker COM Hijacking Lateral Movement (T1546.015)
What does this PR do?
Adds a new experimental ESCU detection + analytic story for the novel BitLocker Network Unlock COM Object Hijacking technique published in August 2025.
This living-off-the-land lateral movement method:
HKCU\Software\Classes\CLSID\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\InprocServer32baaupdate.exe(from explorer.exe) orBdeUISrv.exe(from svchost.exe)This is the first public detection covering this advanced technique.
Files added:
detections/endpoint/lateral_movement_bitlocker_com_hijacking.ymlmacros/lateral_movement_bitlocker_com_hijacking_filter.ymlstories/bitlocker_com_hijacking_lateral_movement.ymlScreenshots
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclaturecontentctl validate --path .→ No issues)Testing Performed
→ Validation Completed - No issues detected!
→ All files valid