Query Details
Bit Locker Malicious Encrypt
Query
//Look for potential instances of BitLocker used to encrypt data maliciously. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where FileName =~ "reg.exe"
and ProcessCommandLine has "EnableBDEWithNoTPM"
and (ProcessCommandLine has "true" or ProcessCommandLine contains "1")
| where InitiatingProcessCommandLine has_all (@"C:\Windows\", ".bat")
Explanation
This query is looking for potential instances of BitLocker being used to encrypt data maliciously. It specifically focuses on devices where Defender for Endpoint is connected to Sentinel. The query filters for events where the file name is "reg.exe" and the process command line includes the phrase "EnableBDEWithNoTPM" and either "true" or "1". Additionally, it checks if the initiating process command line includes both "C:\Windows" and ".bat".
Details
Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine,EnableBDEWithNoTPM,true,1,InitiatingProcessCommandLine
Operators
where=~hasandcontainsorhas_all