TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Bitlocker Ransomware: Using BitLocker for Nefarious Reasons

BHIS · 2016-06-15 · Read original ↗

ATT&CK techniques detected

9 predictions
T1486Data Encrypted for Impact
99%
"bitlocker ransomware : using bitlocker for nefarious reasons bitlocker ransomware : using bitlocker for nefarious reasons i don ’ t know how i got there, but a few days ago i found myself looking at an article on the new “ features ” that microsoft has implemented for bitlocker o…"
T1486Data Encrypted for Impact
94%
"- mountpoint $ env : systemdrive - recoverykeyprotector - recoverykeypath $ env : systemdrive \ resume - bitlocker - mountpoint $ env : systemdrive } # # endscript # # the script executes quickly and the next time the computer reboots, the user is hit with the usual bitlocker pas…"
T1112Modify Registry
93%
"_ dword / d 1 / f reg add hklm \ software \ policies \ microsoft \ fve / v useadvancedstartup / t reg _ dword / d 1 / f reg add hklm \ software \ policies \ microsoft \ fve / v usetpm / t reg _ dword / d 2 / f reg add hklm \ software \ policies \ microsoft \ fve / v usetpmkey / t…"
T1486Data Encrypted for Impact
80%
", if the key is something different then reset the keys, or send an alert to the helpdesk, etc. the manage - bde. exe tool allows you to do similar tasks as the powershell cmdlets if you are more comfortable with cmd and batch scripts. detection with event logs bitlocker events d…"
T1490Inhibit System Recovery
71%
"##ts for powershell i was able to create a script that encrypts the system drive, with a custom recovery message. the following script locks the drive and throws away the recovery key, by placing it on the drive being encrypted. the only way to unlock the drive is with the passwo…"
T1486Data Encrypted for Impact
70%
"##ts for powershell i was able to create a script that encrypts the system drive, with a custom recovery message. the following script locks the drive and throws away the recovery key, by placing it on the drive being encrypted. the only way to unlock the drive is with the passwo…"
T1490Inhibit System Recovery
50%
"fve / v recoverykeymessagesource / t reg _ dword / d 2 / f reg add hklm \ software \ policies \ microsoft \ fve / v usetpmpin / t reg _ dword / d 2 / f # use a strong password here! $ plainpassword = " p @ ssw0rd " $ securepassword = $ plainpassword | convertto - securestring - a…"
T1112Modify Registry
39%
"they also really missed the security mark by not making you reauthenticate passwords and recovery keys before changing them. i reached out to the microsoft security response center expressing my concerns with the current implementation of bitlocker and they were so kind as to res…"
T1486Data Encrypted for Impact
30%
"in my experience this notification only appears if the drive was not encrypted before the script ran. research caveats i did all of this research on a workgroup fresh install of windows 10 evaluation. there is nothing that suggests to me that doing this on a domain joined system …"

Summary

Editor’s Note: We’re excited to publish our first guest post!  If you’d like to guest post on our blog DM us on Twitter, or use our contact form to contact us […]

The post Bitlocker Ransomware: Using BitLocker for Nefarious Reasons appeared first on Black Hills Information Security, Inc..