Monitor and Hunting BitLocker with Azure Sentinel
The cloud is more secure than the on-premises environment. Still, if you don’t know how to manage the security control on the cloud, you will find yourself with many security issues, misconfiguration, and gaps. This blog-post it’s all about Monitor and Hunting BitLocker with Azure Sentinel. This post will focus on Monitor and Hunting BitLocker with Azure Sentinel.
If you were asking an IT admin or security team if they know what happens with their Windows 10 BitLocker keys on Azure AD devices and if they are safe, they would probably say that everything is smooth and cool.
Windows 10 BitLocker keys on a cloud device are accessible at the user level and are available to any authorized user who can access and retrieve the keys.
Note: This blog-post it’s all about Azure AD BitLocker and how to monitor and detect with Azure Sentinel. The following blog post will provide automation for BitLocker Key rotation.
BitLocker & Endpoint Manager
A popular and recommended way to manage devices companies of any size is through Microsoft Endpoint Manager (Intune). The Microsoft Endpoint Manager provides valuable management for any device, whether Windows, macOS, iOS, or any other.
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization data stays protected and can isolate organization data from personal data.
Source: What is Microsoft Intune – Azure | Microsoft Docs
Besides, Windows 10 contains many great security features that provide protection, such as encryption, network protection, web filtering, DMA, attack surface reduction, and much more. One of these security features is BitLocker.
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.
BitLocker encrypts the disks on the system with a password, file from a USB drive, or most commonly crucial material from a TPM. When configured with a TPM, BitLocker will decrypt the disk transparently to the user, with no additional prompts, as long as the device’s motherboard and operating system haven’t changed.
For example, it ensures that even if a device is lost or stolen, it isn’t possible to read any of the files on the device without knowing the username and password of a valid user account. In addition, the checks performed by BitLocker serve as protection from an attacker removing the drive and viewing or modifying the files directly.
If this is performed as part of authorized maintenance or troubleshooting, the drive can still be unlocked using a BitLocker Recovery Key.
Source: BitLocker (Windows 10) – Microsoft 365 Security | Microsoft Docs
You can use Endpoint Manager to configure BitLocker Drive Encryption on devices that run Windows 10. BitLocker is available on devices that run Windows 10 or later. Some settings for BitLocker require the device have a supported TPM.
BitLocker Keys
Endpoint Manager provides the ability to use, save and store BitLocker Recovery Keys on Azure AD and from there to managed BitLocker devices. This allows administrators to view Recovery Keys and assist users once they need to recover their devices.
Below are some of the BitLocker options from Endpoint Manager 👇
Microsoft Endpoint Manager (Intune) and Windows 10 support automatic key rollover when a key has been used to unlock or recover a drive. That means the BitLocker key in Azure AD will be automatically replaced with a new key after a successful recovery key usage.
Microsoft Endpoint Manager (Intune) provides access to the Azure AD blade for BitLocker so you can view BitLocker Key ID and BitLocker recovery keys for your Windows 10 devices from within the Microsoft Endpoint Manager admin center.
However, Microsoft also allows any Azure AD authenticated user assigned to a device to view its Recovery Keys. This is a feature of Endpoint Manager that cannot be disabled right now.
TIP: You can disable the access for users from the Endpoint Manager itself, but it will disable additional features.
User Access (my account)
To access the BitLocker keys from a standard Azure AD user, you can go to the portal below and access your device. The portal is https://myaccount.microsoft.com.
As you can see, the BitLocker Keys (ID) and the BitLocker recovery key are accessible by the end-user and also allow the user to take some action, such as rotate key.
This feature can be excellent for end-user and even can decrease the needs of Help-Desk in some Bitlocker assistance situations. But, it allows an attacker to use this BitLocker key and bypass BitLocker or allow Intune users to become Local Administrators.
Bypass BitLocker
Like any other system also the BitLocker component can be bypassed. Once you’ve got additional Information such as BitLocker keys and BitLocker recovery keys, it allows you to do further action in the attack process.
Of course, there’s no quick way to attack and bypass, but it is possible to escalate a Local Administrator once you’ve got keys, and from there, you can read and write files on the disk. Here are some examples:
- Write a DLL to System32 that is loaded by a privileged service
- Replace a service executable
- Rewrite a configuration file for a high privilege program
- Change permissions of sensitive files
- Read and write a SAM file with new users added
Keep in mind that no endpoint protection will be able to protect you from this kind of attack, as someone can trivially turn the endpoint protection off or even modify it in such a way that it looks enabled but is not functioning.
This simulation below shows a simple escalation to a Local Administrator, though this is only one possible example of how it could be performed:
- Open the Restart options by holding shift while selecting the restart option.
- Select troubleshoot, advanced options, command prompt, and then reboot to a command prompt.
- Enter the BitLocker recovery key obtained earlier through a user’s My Account portal.
- Replace the GoogleUpdate.exe binary with a malicious version that adds a new Local Administrator user with a known password
Exit and continue to Windows 10. - Wait for GoogleUpdate.exe to execute.
- Open the command prompt and run “net users,” observing the new account has been added successfully.
Monitor BitLocker Changes
Once the end-user has access to the BitLocker Key or the BitLocker Recovery Keys, the user can do many actions, including legit actions. However, some of them could be destructive actions, and of course, an adversary could take advantage of these keys and perform bypass activities.
If you’re a blue teamer, you probably want to know how to monitor, audit, and see when the end-user access the key, or worse the user rotates the key. For this kind of situation, you can use several tools that provide complete visibility. For example, alerting and monitor any action made by the user.
How can you achieve complete visibility into your BitLocker and take deep visibility into the end-user actions? This can be done via several tools. Here are some of the essential and valuable tools. To gain complete visibility, you need to enable the following audit logs:
Azure AD Audit Logs
Azure AD audit logs provide Information about changes applied to your tenants, such as users and group management, or updates to your tenant’s resources. BitLocker is one of these resources.
Azure Sentinel can collect Azure AD audit logs and monitor BitLocker activity from an admin and user perspective.
Intune Audit Logs include a record of activities that generate a change in Microsoft Intune. Create, update (edit), delete, assign, and remote actions create audit events administrators can review for most Intune workloads.
Intune audit logs can investigate the action indirectly, and the Information will be categorized as decryptcredential ManagedDevice.
TIP: Azure AD-joined and Hybrid-joined devices must have support for crucial rotation enabled via BitLocker policy configuration.
Azure Sentinel can collect Intune audit logs and monitor BitLocker activity from an admin and user perspective.
BitLocker Event Logs can collect more logs from event viewers with the sources of BitLocker-API and BitLocker-DrivePreparationTool. These logs provide
BitLocker-API – Review the management log, the operational log, and other logs generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-API/BitLocker Operational
- Microsoft-Windows-BitLocker-API/BitLocker Management
BitLocker-DrivePreparationTool – Review the admin log, the operational log, and other logs generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
Azure Sentinel BitLocker Configuration
With Azure Sentinel, you can collect Azure AD Audit logs, Intune audit logs, and BitLocker Event logs. Depending on your scenario, the most relevant logs are the Azure AD audit logs and the others: Intune audit logs and BitLocker Event logs aren’t required, but it provides valuable information for monitoring, hunting, and investigation, including automation and report.
You can configure all of these logs and stream the Information to Azure Sentinel. This can be done via the following instructions.
Azure AD Audit Logs is part of the Azure AD data connector and can be configured from the Azure Sentinel configuration. Make sure to choose the Audit logs type and apply the changes.
Intune Audit Logs is part of Intune reporting and can be configured via the Reports dashboard. From the Reports, you need to configure diagnostic settings and choose the Audit logs. Once it is applied, you can query the Azure Sentinel for the relevant Information.
BitLocker Event Viewer needs the Azure Sentinel agent on each device and additional settings on Agents configuration for the log type: Microsoft-Windows-BitLocker/BitLocker Management. This log is optional and not required in most of the situation.
Once you’ve got the relevant logs and Information, you run Azure Sentinel queries and investigate BitLocker anomalies and malicious actions.
Monitor and Hunting BitLocker Changes
In this blog post, I stick with the Azure AD audit logs to monitor, investigate and automate BitLocker actions.
Once the Azure AD data connector sends the Information to Azure Sentinel, we can run few queries to know what we’ve got and if user BitLocker access and rotation changes.
Once the Analytics rule has been configured, you can simulate user action and access the device portal and read the BitLocker key. Once you read the Recovery Key, the Azure Sentinel will raise an incident.
Now that we’ve got an incident, we can investigate the incident and check who touches BitLocker Key, from which IP the user comes if there are related IP or related alerts for these actions.
