Windows Bluetooth Service Installed From Uncommon Location

Author: Michael Haag, Splunk
Source: upstream

Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543.003` Create or Modify System Process: Windows Service
Defense Evasion	`T1036` Masquerading

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `search`

search EventCode=7045 ImagePath IN ("*\\AppData\\*", "*\\ProgramData\\*", "*\\Temp\\*", "*\\Users\\*\\Bluetooth\\*") ServiceName IN ("Bluetooth Service", "BluetoothService")

Stage 2: `stats`

stats BY Computer, ServiceName, ImagePath, ServiceType, StartType, UserID

Stage 3: `rename`

rename

Stage 4: `search`

search

Stage 5: `search`

search

Stage 6: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`7045` corpus 12 (splunk 12)
`ImagePath`	in	`"\\AppData\\"` `"\\ProgramData\\"` `"\\Temp\\"` `"\\Users\\\\Bluetooth\\*"`
`ServiceName`	in	`"Bluetooth Service"` `"BluetoothService"`

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Invoke-Obfuscation Obfuscated IEX Invocation - System [sigma] (cross-vendor) (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)
Malicious Powershell Executed As A Service [splunk] (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
Randomly Generated Windows Service Name [splunk] (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
Windows Service Created with Suspicious Service Name [splunk] (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)

Windows Bluetooth Service Installed From Uncommon Location

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: rename

Stage 4: search

Stage 5: search

Stage 6: search