Adversaries may use CVE-2021-36934 to access the HKLM registry hive to extract sensitive credentials, bypassing BitLocker encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft and lateral movement attempts.
KQL Query
let startTime = now(-7d);
let endTime = now();
DeviceProcessEvents
| where Timestamp between (startTime..endTime)
| where ProcessCommandLine contains "HKLM"
| where AccountName != "system"
id: ab0afd3c-47fc-4a82-83ad-5c92528bdf08
name: CVE-2021-36934 usage detection
description: |
Assuming that you have a machine that is properly BitLocker'ed, then
the machine will need to be running to extract the SAM and SYSTEM
files.
This first query looks for any access to the HKLM that happens via a command
or script that is not executed by system.
The second query looks for usage of reg or regedit by anyone who is not system.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Privilege escalation
- Exploit
query: |
let startTime = now(-7d);
let endTime = now();
DeviceProcessEvents
| where Timestamp between (startTime..endTime)
| where ProcessCommandLine contains "HKLM"
| where AccountName != "system"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: BitLocker recovery key extraction via manage-bde command
Filter/Exclusion: Exclude processes where the command line includes manage-bde -GetRecoveryKey or manage-bde -protectors and the user is a domain admin with BitLocker permissions.
Scenario: Scheduled BitLocker status checks using Get-BitLockerVolume in PowerShell
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Get-BitLockerVolume with a known scheduled task name or user account.
Scenario: System file access during routine Windows updates or system maintenance
Filter/Exclusion: Exclude access to HKLM\Software\Microsoft\Windows\CurrentVersion or HKLM\SECURITY by svchost.exe, wuauserv.exe, or taskhost.exe during known update windows.
Scenario: Admin task to audit BitLocker status using Local Security Policy (secpol.msc)
Filter/Exclusion: Exclude events where the process is mmc.exe or msc and the user is a domain admin accessing BitLocker settings through the Local Security Policy GUI.
Scenario: Access to HKLM by system services during normal boot or configuration changes
Filter/Exclusion: Exclude access to HKLM by services like eventlog or task scheduler during system boot or when the user is a local admin performing configuration changes.