detection.wiki

Detection rules › Splunk

Windows Modify Registry Configure BitLocker

Author
Teoderick Contreras, Splunk
Source
upstream

This analytic is developed to detect suspicious registry modifications targeting BitLocker settings. The malware ShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE ((Registry.registry_path="*\\Policies\\Microsoft\\FVE\\*" Registry.registry_value_data=0x00000001 Registry.registry_value_name IN ("EnableBDEWithNoTPM", "EnableNonTPM", "UseAdvancedStartup")) OR (Registry.registry_path="*\\Policies\\Microsoft\\FVE\\*" Registry.registry_value_data=0x00000002 Registry.registry_value_name IN ("UsePIN", "UsePartialEncryptionKey", "UseTPM", "UseTPMKey", "UseTPMKeyPIN", "UseTPMPIN"))) BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Registry.registry_patheq
  • "*\\Policies\\Microsoft\\FVE\\*"
Registry.registry_value_dataeq
  • 0x00000001 corpus 12 (splunk 12)
  • 0x00000002
Registry.registry_value_namein
  • "EnableBDEWithNoTPM"
  • "EnableNonTPM"
  • "UseAdvancedStartup"
  • "UsePIN"
  • "UsePartialEncryptionKey"
  • "UseTPM"
  • "UseTPMKey"
  • "UseTPMKeyPIN"
  • "UseTPMPIN"