← Back to SOC feed Coverage →

Suspicious Reg Add BitLocker

sigma HIGH SigmaHQ
T1486
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Detection Rule

Sigma (Original)

title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
    - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'REG'
            - 'ADD'
            - '\SOFTWARE\Policies\Microsoft\FVE'
            - '/v'
            - '/f'
        CommandLine|contains:
            - 'EnableBDEWithNoTPM'
            - 'UseAdvancedStartup'
            - 'UseTPM'
            - 'UseTPMKey'
            - 'UseTPMKeyPIN'
            - 'RecoveryKeyMessageSource'
            - 'UseTPMPIN'
            - 'RecoveryKeyMessage'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "REG" and TargetProcessCommandLine contains "ADD" and TargetProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and TargetProcessCommandLine contains "/v" and TargetProcessCommandLine contains "/f") and (TargetProcessCommandLine contains "EnableBDEWithNoTPM" or TargetProcessCommandLine contains "UseAdvancedStartup" or TargetProcessCommandLine contains "UseTPM" or TargetProcessCommandLine contains "UseTPMKey" or TargetProcessCommandLine contains "UseTPMKeyPIN" or TargetProcessCommandLine contains "RecoveryKeyMessageSource" or TargetProcessCommandLine contains "UseTPMPIN" or TargetProcessCommandLine contains "RecoveryKeyMessage")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml