Hunting BitLocker with Microsoft Sentinel

This blog-post it’s all about Hunting BitLocker with Microsoft Sentinel. Is the cloud is more secure than the on-prem environment? It depends on many situations. If you don’t know how to manage the security control on the cloud, you will find yourself with many security issues, misconfiguration, and security gaps.

If you were asking an IT admin or security team if they know what happens with their Windows 10/11 #BitLocker keys on Azure AD devices and if they are safe, they would probably say that everything is smooth and cool.

Windows 10/11 BitLocker keys on a cloud device are accessible at the user level and are available to any authorized user who can access and retrieve the keys.

Note: This blog-post it’s all about Azure AD BitLocker and how to monitor and detect with Microsoft Sentinel. The following blog post will provide automation for BitLocker Key rotation.

BitLocker & Endpoint Manager

A popular and recommended way to manage devices companies of any size is through Microsoft Endpoint Manager (Intune). The Microsoft Endpoint Manager provides valuable management for any device, whether Windows, macOS, iOS, or any other.

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization data stays protected and can isolate organization data from personal data.

Source: What is Microsoft Intune – Azure | Microsoft Docs

Besides, Windows 10/11 contains many great security features that provide protection, such as encryption, network protection, web filtering, DMA, attack surface reduction, and much more. One of these security features is BitLocker.

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

BitLocker encrypts the disks on the system with a password, file from a USB drive, or most commonly crucial material from a TPM. When configured with a TPM, BitLocker will decrypt the disk transparently to the user, with no additional prompts, as long as the device’s motherboard and operating system haven’t changed.

For example, it ensures that even if a device is lost or stolen, it isn’t possible to read any of the files on the device without knowing the username and password of a valid user account. In addition, the checks performed by BitLocker serve as protection from an attacker removing the drive and viewing or modifying the files directly.

If this is performed as part of authorized maintenance or troubleshooting, the drive can still be unlocked using a BitLocker Recovery Key.

Source: BitLocker (Windows 10) – Microsoft 365 Security | Microsoft Docs

You can use Endpoint Manager to configure BitLocker Drive Encryption on devices that run Windows 10. BitLocker is available on devices that run Windows 10 or later. Some settings for BitLocker require the device have a supported TPM.

BitLocker Keys

Endpoint Manager provides the ability to use, save and store BitLocker Recovery Keys on Azure AD and from there to manage BitLocker devices. This allows administrators to view Recovery Keys and assist users once they need to recover their devices.

Below are some of the BitLocker options from Endpoint Manager 👇

BitLocker options from Endpoint Manager

Microsoft Endpoint Manager (Intune) and Windows 10 support automatic key rollover when a key has been used to unlock or recover a drive. That means the BitLocker key in Azure AD will be automatically replaced with a new key after a successful recovery key usage.

Microsoft Endpoint Manager (Intune) provides access to the Azure AD blade for BitLocker so you can view BitLocker Key ID and BitLocker recovery keys for your Windows 10 devices from within the Microsoft Endpoint Manager admin center.

However, Microsoft also allows any Azure AD authenticated user assigned to a device to view its Recovery Keys. This is a feature of Endpoint Manager that cannot be disabled right now.

TIP: You can disable the access for users from the Endpoint Manager itself, but it will disable additional features.

User Access (my account)

To access the BitLocker keys from a standard Azure AD user, you can go to the portal below and access your device. The portal is

BitLocker keys from a standard Azure AD user

BitLocker keys from a standard Azure AD user

As you can see, the BitLocker Keys (ID) and the BitLocker recovery key are accessible by the end-user and also allow the user to take some action, such as rotate key.

This feature can be excellent for end-user and even can decrease the needs of Help-Desk in some Bitlocker assistance situations. But, it allows an attacker to use this BitLocker key and bypass BitLocker or allow Intune users to become Local Administrators.

Bypass BitLocker

Like any other system also, the BitLocker component can be bypassed. Once you’ve got additional information, such as BitLocker keys and BitLocker recovery keys, it allows you to do further action in the attack process.

Of course, there’s no quick way to attack and bypass, but it is possible to escalate a Local Administrator once you’ve got keys, and from there, you can read and write files on the disk. Here are some examples:

  • Write a DLL to System32 that is loaded by a privileged service
  • Replace a service executable
  • Rewrite a configuration file for a high privilege program
  • Change permissions of sensitive files
  • Read and write a SAM file with new users added

Keep in mind that no endpoint protection will be able to protect you from this kind of attack, as someone can trivially turn the endpoint protection off or even modify it in such a way that it looks enabled but is not functioning.


This simulation shows a simple escalation to a Local Administrator, though this is only one possible example of how it could be performed:

  • Open the Restart options by holding shift while selecting the restart option.
  • Select troubleshoot, advanced options, command prompt, and then reboot to a command prompt.
  • Enter the BitLocker recovery key obtained earlier through a user’s My Account portal.
  • Replace the GoogleUpdate.exe binary with a malicious version that adds a new Local Administrator user with a known password
    Exit and continue to Windows 10.
  • Wait for GoogleUpdate.exe to execute.
  • Open the command prompt and run “net users,” observing the new account has been added successfully.

Monitor BitLocker Changes

Once the end-user has access to the BitLocker Key or the BitLocker Recovery Keys, the user can do many actions, including legit actions. However, some of them could be destructive actions, and of course, an adversary could take advantage of these keys and perform bypass activities.

If you’re a blue teamer, you probably want to know how to monitor, audit, and see when the end-user access the key, or worse the user rotates the key. For this kind of situation, you can use several tools that provide complete visibility—for example, alerting and monitoring any action made by the user.

How can you achieve complete visibility into your BitLocker and take deep visibility into the end-user actions? This can be done via several tools. Here are some of the essential and valuable tools. To gain complete visibility, you need to enable the following audit logs:

Azure AD Audit Logs

Azure AD audit logs provide information about changes applied to your tenants, such as users and group management, or updates to your tenant’s resources. BitLocker is one of these resources.

Azure AD Audit Logs

Microsoft Sentinel can collect Azure AD audit logs and monitor BitLocker activity from an admin and user perspective.

Intune Audit Logs include a record of activities that generate a change in Microsoft Intune. Create, update (edit), delete, assign, and remote actions create audit events administrators can review for most Intune workloads.

Intune audit logs can investigate the action indirectly, and the information will be categorized as decryptcredential ManagedDevice.

Intune Audit Logs

TIP: Azure AD-joined and Hybrid-joined devices must support crucial rotation enabled via BitLocker policy configuration.

Microsoft Sentinel can collect Intune audit logs and monitor BitLocker activity from an admin and user perspective.

BitLocker Event Logs can collect more logs from event viewers with the sources of BitLocker-API and BitLocker-DrivePreparationTool. These logs provide

BitLocker-API – Review the management log, the operational log, and other logs generated in this folder. The default logs have the following unique names:

  • Microsoft-Windows-BitLocker-API/BitLocker Operational
  • Microsoft-Windows-BitLocker-API/BitLocker Management

BitLocker-DrivePreparationTool – Review the admin log, the operational log, and other logs generated in this folder. The default logs have the following unique names:

  • Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
  • Microsoft-Windows-BitLocker-DrivePreparationTool/Admin

Microsoft Sentinel BitLocker Configuration

With Microsoft Sentinel, you can collect Azure AD Audit logs, Intune audit logs, and BitLocker Event logs. Depending on your scenario, the most relevant logs are the Azure AD audit logs, and the others: Intune audit logs and BitLocker Event logs aren’t required, but it provides valuable information for monitoring, hunting, and investigation, including automation and report.

You can configure all of these logs and stream the Information to Microsoft Sentinel. This can be done via the following instructions.

Azure AD Audit Logs is part of the Azure AD data connector and can be configured from the Microsoft Sentinel configuration. Make sure to choose the Audit logs type and apply the changes.

Intune Audit Logs is part of Intune reporting and can be configured via the Reports dashboard. You need to configure diagnostic settings from the Reports and choose the Audit logs. Once applied, you can query the Microsoft Sentinel for the relevant information.

BitLocker Event Viewer needs the Microsoft Sentinel agent on each device and additional settings on Agents configuration for the log type: Microsoft-Windows-BitLocker/BitLocker Management. This log is optional and not required in most situations.

Once you’ve got the relevant logs and information, you run Microsoft Sentinel queries and investigate BitLocker anomalies and malicious actions.

Monitor and Hunting BitLocker Changes

I stick with the Azure AD audit logs to monitor, investigate, and automate BitLocker actions in this blog post.

Once the Azure AD data connector sends the Information to Microsoft Sentinel, we can run a few queries to know what we’ve got and if user BitLocker access and rotation changes.

Hunting BitLocker with Microsoft Sentinel

Hunting BitLocker with Microsoft Sentinel

Once the Analytics rule has been configured, you can simulate user action, access the device portal, and read the BitLocker key. Once you read the Recovery Key, the Microsoft Sentinel will raise an incident.

Now that we’ve got an incident, we can investigate the incident and check who touches BitLocker Key, from which IP the user comes if there are related IP or related alerts for these actions.

More Microsoft Sentinel stuff @ MISCONFIG

Microsoft Sentinel 4 SecOps @ GitHub

You may also like...

Leave a Reply

error: Content is Protected !!