Merge pull request #959 from nterl0k/nterl0k-t1486-bitlocker-sus-commands

patel-bhavin · web-flow · commit 25f68244729d · 2025-02-18T17:22:25.000-08:00
Nterl0k - T1486 BitLocker Suspicious Commands
diff --git a/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.log b/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e1e4b875d2ae27e4b2c99e6403cf2f642d087f415af2a06c0b63e0556110002
+size 2002
diff --git a/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml b/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml
@@ -0,0 +1,14 @@
+author: Steven Dick
+id: 2cf75567-0739-4cd2-8d83-fd5c0177045e
+date: '2025-02-10'
+description: 'A sample event with a known abusedd manage-bde command.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1486/
+- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware-encryption-via-bitlocker/
+- https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
+- https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:9e1e4b875d2ae27e4b2c99e6403cf2f642d087f415af2a06c0b63e0556110002`
	`3`	`+size 2002`