-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbitlocker.json
More file actions
612 lines (612 loc) · 26.6 KB
/
bitlocker.json
File metadata and controls
612 lines (612 loc) · 26.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
{
"dataset": {
"name": "EID Quick Reference - BitLocker",
"version": "1.2.0",
"generatedAt": "2026-04-12T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/bitlocker.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 770,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Information",
"title": "BitLocker Drive Encryption was enabled on a volume",
"summary": "BitLocker Drive Encryption was enabled on a volume.",
"details": "Generated when BitLocker Drive Encryption is successfully enabled on a drive volume. In ransomware scenarios, some strains (notably Ryuk and its successors) use BitLocker as the encryption engine, enabling it on all volumes to leverage Windows' own trusted encryption. Enablement on a large number of machines in a short window is a strong ransomware detonation indicator.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"encryption-enabled",
"drive-encryption",
"ransomware",
"impact"
],
"relatedEventIds": [
{
"id": 771,
"log": "BitLocker"
},
{
"id": 776,
"log": "BitLocker"
},
{
"id": 524,
"log": "System"
},
{
"id": 4719,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1486",
"techniqueName": "Data Encrypted for Impact",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
},
{
"techniqueId": "T1490",
"techniqueName": "Inhibit System Recovery",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Enablement on multiple machines in a short window (many EID 770 events across hosts) is a ransomware detonation signature",
"Enablement outside change management windows or by non-standard accounts (check SubjectAccountName) should be investigated",
"VolumeType indicating data drives on servers (especially backup servers or file servers) is highest priority",
"Correlate with EID 524 (Volume Shadow Copy deletion) and Windows Event 7036 for Volume Shadow Copy Service stopping — these are common ransomware preparation steps preceding BitLocker enablement"
],
"commonFalsePositives": [
"Authorized BitLocker deployment by IT/security teams as part of endpoint hardening",
"New machine provisioning with BitLocker enabled during device setup"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Drive letter or volume label being encrypted"
},
{
"name": "VolumeType",
"xpath": "EventData/Data[@Name='VolumeType']",
"description": "Type of volume: operating system drive, fixed data drive, or removable"
}
],
"lastReviewed": "2026-04-12"
},
{
"id": 771,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Information",
"title": "BitLocker Drive Encryption was disabled on a volume",
"summary": "BitLocker Drive Encryption was disabled on a volume.",
"details": "Generated when BitLocker is fully disabled and the volume is decrypted. BitLocker disablement reduces the data protection posture of the affected machine. In ransomware pre-staging, adversaries may disable BitLocker on volumes before deploying their own payload to avoid performance degradation from double-encryption. The pattern of BitLocker disable followed by ransomware encryption is documented in Ryuk, Conti, and LockBit campaigns. OS drive disablement may indicate preparation for full disk encryption by ransomware or an attacker clearing BitLocker protectors to prevent recovery.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"encryption-disabled",
"ransomware",
"defense-evasion",
"impact"
],
"relatedEventIds": [
{
"id": 770,
"log": "BitLocker"
},
{
"id": 773,
"log": "BitLocker"
},
{
"id": 776,
"log": "BitLocker"
}
],
"mitreAttack": [
{
"techniqueId": "T1486",
"techniqueName": "Data Encrypted for Impact",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
},
{
"techniqueId": "T1490",
"techniqueName": "Inhibit System Recovery",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Any disablement event outside a documented change management action should be treated as critical",
"Disablement followed within minutes by high disk I/O or new suspicious processes is a ransomware pre-staging indicator — pull EDR telemetry immediately",
"Disablement on backup servers or file servers is highest priority — these are primary ransomware targets",
"Correlate with EID 773 (key protector removed) — attackers sometimes remove protectors rather than fully disabling to accomplish the same goal with less noise"
],
"commonFalsePositives": [
"Authorized decryption for hardware refresh, disk replacement, or before decommissioning a machine",
"BitLocker management tooling decrypting volumes as part of a policy change"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "rare",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Volume on which BitLocker was disabled"
},
{
"name": "DriveType",
"xpath": "EventData/Data[@Name='DriveType']",
"description": "Type of drive (fixed, removable)"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "BitLocker Disabled — Ransomware Pre-Staging Indicator",
"rule": "Event\n| where Source == \"Microsoft-Windows-BitLocker-DrivePreparationTool\"\n or Source == \"Microsoft-Windows-BitLocker-API\"\n| where EventID == 771\n| project TimeGenerated, Computer, VolumeName, RenderedDescription\n| extend Severity = \"HIGH - BitLocker disabled; investigate for ransomware pre-staging\"",
"notes": "Ransomware actors disable BitLocker before deploying their own encryption to avoid performance issues from double-encryption. Any disable event outside a documented change window is high priority. Alert immediately."
},
{
"platform": "Splunk",
"title": "BitLocker Drive Encryption Disabled",
"rule": "index=wineventlog EventCode=771 sourcetype=\"XmlWinEventLog:Microsoft-Windows-BitLocker/BitLocker Management\"\n| table _time, Volume_Name, Drive_Type, host\n| eval alert=\"HIGH - Potential ransomware pre-staging\"",
"notes": "Monitor the BitLocker Management channel. Any disable event should trigger immediate investigation."
},
{
"platform": "Sigma",
"title": "BitLocker Drive Encryption Disabled",
"rule": "title: BitLocker Drive Encryption Disabled\nstatus: stable\nlogsource:\n product: windows\n service: bitlocker\ndetection:\n selection:\n EventID: 771\ncondition: selection\nfalsepositives:\n - Authorized BitLocker management during change windows\n - Drive decommissioning procedures\nlevel: high",
"notes": "Zero-noise rule in environments with BitLocker policy enforced. Any occurrence outside change management should page the incident response team."
}
],
"lastReviewed": "2026-04-12"
},
{
"id": 773,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Information",
"title": "A BitLocker key protector was removed from a volume",
"summary": "A BitLocker key protector (TPM, password, or recovery key) was removed from an encrypted volume.",
"details": "Generated when a key protector is removed from a BitLocker-encrypted volume. BitLocker volumes can have multiple key protectors: TPM, TPM+PIN, password, recovery password (numerical key), and recovery key file. Removing all key protectors from a volume effectively makes it inaccessible after the next reboot (since there is no way to unlock it). Removing recovery keys specifically prevents IT from recovering encrypted data if the primary protector fails.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"key-protector",
"tpm",
"recovery-key",
"defense-evasion"
],
"relatedEventIds": [
{
"id": 771,
"log": "BitLocker"
},
{
"id": 774,
"log": "BitLocker"
},
{
"id": 775,
"log": "BitLocker"
}
],
"mitreAttack": [
{
"techniqueId": "T1490",
"techniqueName": "Inhibit System Recovery",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
},
{
"techniqueId": "T1486",
"techniqueName": "Data Encrypted for Impact",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Removal of all protectors from a volume (multiple 773 events for the same volume in sequence) renders the volume permanently inaccessible after reboot — critical alert",
"KeyProtectorType = recovery password or recovery key removal specifically targets disaster recovery capability",
"OS drive protector removal is highest severity — it will prevent the machine from booting after next reboot",
"Correlate with EID 774 (backup failure) — an attacker may remove protectors AND ensure AD backup fails to prevent recovery from domain-stored keys"
],
"commonFalsePositives": [
"IT removing the recovery password protector before re-keying and adding a new one as part of key rotation policy",
"BitLocker management software removing and re-adding protectors during policy enforcement"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "rare",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Volume from which the key protector was removed"
},
{
"name": "KeyProtectorType",
"xpath": "EventData/Data[@Name='KeyProtectorType']",
"description": "Type of key protector removed (TPM, password, recovery password, recovery key)"
}
],
"lastReviewed": "2026-04-12"
},
{
"id": 774,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Warning",
"title": "BitLocker Drive Encryption failed to back up recovery information to Active Directory",
"summary": "BitLocker failed to back up recovery information to Active Directory.",
"details": "Generated when BitLocker attempts to back up recovery keys or TPM owner information to Active Directory and fails. In well-managed environments with the GPO 'Do not enable BitLocker until recovery information is stored to AD DS' configured, this failure would block BitLocker enablement. In environments without this strict policy, the failure is logged but BitLocker proceeds. The absence of a domain-stored recovery key leaves no domain-side recovery path if the primary protector fails.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"recovery-key",
"ad-backup",
"backup-failure"
],
"relatedEventIds": [
{
"id": 775,
"log": "BitLocker"
},
{
"id": 770,
"log": "BitLocker"
},
{
"id": 773,
"log": "BitLocker"
}
],
"mitreAttack": [
{
"techniqueId": "T1490",
"techniqueName": "Inhibit System Recovery",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"774 events coinciding with 770 (BitLocker enabled) during an attack timeline indicate an attacker enabling encryption while ensuring no AD recovery path exists",
"Check DC reachability from the affected machine at the time of the event — deliberate network isolation is a ransomware pre-staging technique",
"Verify whether the GPO requiring AD backup before enablement is configured — if yes, BitLocker should not have been enabled; if it was, investigate how the policy was bypassed"
],
"commonFalsePositives": [
"Domain-joined machines that are temporarily off-network (VPN not connected, laptop in transit) when BitLocker attempts AD backup during setup",
"AD replication delays or DC unavailability causing transient backup failures that self-resolve"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Volume for which recovery information backup to AD failed"
},
{
"name": "FailureReason",
"xpath": "EventData/Data[@Name='FailureReason']",
"description": "Reason the AD backup failed (network, permission, or AD object error)"
}
],
"lastReviewed": "2026-04-12"
},
{
"id": 775,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Information",
"title": "BitLocker Drive Encryption successfully backed up recovery information to Active Directory",
"summary": "BitLocker successfully backed up recovery information to Active Directory.",
"details": "Generated when BitLocker successfully stores recovery key or TPM owner information in Active Directory. The recovery key is now stored in AD and accessible to anyone with appropriate AD read permissions on the msFVE-RecoveryInformation object class. Adversaries with access to Active Directory (e.g., via DCSync or Domain Admin compromise) can read BitLocker recovery keys stored in AD to later decrypt or access encrypted volumes.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"recovery-key",
"ad-backup",
"credential-access"
],
"relatedEventIds": [
{
"id": 774,
"log": "BitLocker"
},
{
"id": 770,
"log": "BitLocker"
},
{
"id": 4662,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1552",
"techniqueName": "Unsecured Credentials",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
},
{
"techniqueId": "T1555",
"techniqueName": "Credentials from Password Stores",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Correlate with EID 4662 (DS object access) on domain controllers for msFVE-RecoveryInformation object reads — attackers querying BitLocker recovery keys from AD will generate these events",
"New 775 events for machines that have been encrypted for a long time (not new enrollments) may indicate an attacker forcing a new key backup after modifying the key",
"Bulk 775 events across many machines in a short window may indicate BitLocker management tooling performing mass re-keying, or an attacker forcing recovery key rotation"
],
"commonFalsePositives": [
"Normal BitLocker deployment — this event is expected during initial BitLocker setup on domain-joined machines",
"Periodic key rotation as part of BitLocker management policy"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Volume for which recovery information was backed up to AD"
}
],
"lastReviewed": "2026-04-12"
},
{
"id": 776,
"log": "BitLocker",
"provider": "Microsoft-Windows-BitLocker-API",
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"level": "Information",
"title": "BitLocker Drive Encryption was suspended on a volume",
"summary": "BitLocker Drive Encryption was suspended on a volume.",
"details": "Generated when BitLocker is suspended on an encrypted volume. Suspension differs from disablement: suspended BitLocker leaves the volume data intact and encrypted, but stores the volume encryption key (FVEK) in the clear on disk (unprotected by key protectors), allowing the volume to be accessed without authentication. This is typically used by IT for firmware/BIOS updates that require temporary BitLocker suspension. A suspended BitLocker volume is effectively unprotected — the encryption key is stored openly and the data is accessible without the TPM or recovery key. Suspension (rather than full disablement) is a subtler approach that achieves the same goal of bypassing encryption.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The BitLocker Management operational log is not enabled by default. Enable via: wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q",
"command": "wevtutil sl \"Microsoft-Windows-BitLocker/BitLocker Management\" /e:true /q"
}
],
"category": "BitLocker / Drive Encryption",
"tags": [
"bitlocker",
"encryption-suspended",
"ransomware",
"defense-evasion",
"impact"
],
"relatedEventIds": [
{
"id": 771,
"log": "BitLocker"
},
{
"id": 770,
"log": "BitLocker"
},
{
"id": 773,
"log": "BitLocker"
}
],
"mitreAttack": [
{
"techniqueId": "T1486",
"techniqueName": "Data Encrypted for Impact",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
},
{
"techniqueId": "T1490",
"techniqueName": "Inhibit System Recovery",
"tactics": [
{
"tacticId": "TA0040",
"tacticName": "Impact"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Suspension outside a documented firmware update or IT maintenance window should be treated as suspicious",
"Suspension on servers (especially file/backup servers) rather than workstations during update windows is anomalous",
"Suspension followed by high disk I/O or new process activity (EDR telemetry) within minutes indicates ransomware or data exfiltration leveraging the unprotected state",
"Check whether suspension was followed by a reboot (which would re-enable protection) or whether it persists — persistent suspension is higher severity"
],
"commonFalsePositives": [
"Authorized suspension during BIOS/UEFI firmware updates that require BitLocker to be suspended to avoid recovery mode on next boot",
"IT management tooling temporarily suspending BitLocker during Windows feature updates on managed endpoints"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/"
},
"volumeIndicator": "rare",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "VolumeName",
"xpath": "EventData/Data[@Name='VolumeName']",
"description": "Volume on which BitLocker was suspended"
},
{
"name": "DriveType",
"xpath": "EventData/Data[@Name='DriveType']",
"description": "Type of drive; system volume suspension is the most impactful"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "BitLocker Suspended — Ransomware Pre-Staging Indicator",
"rule": "Event\n| where Source == \"Microsoft-Windows-BitLocker-DrivePreparationTool\"\n or Source == \"Microsoft-Windows-BitLocker-API\"\n| where EventID == 776\n| project TimeGenerated, Computer, VolumeName, RenderedDescription\n| extend Severity = \"HIGH - BitLocker suspended; investigate for ransomware pre-staging\"",
"notes": "BitLocker suspension removes key protection. Ransomware may suspend before encryption to simplify their encryption operation. Correlate with EID 771 (disable) and process creation events."
},
{
"platform": "Splunk",
"title": "BitLocker Drive Encryption Suspended",
"rule": "index=wineventlog EventCode=776 sourcetype=\"XmlWinEventLog:Microsoft-Windows-BitLocker/BitLocker Management\"\n| table _time, Volume_Name, Drive_Type, host\n| eval alert=\"HIGH - BitLocker suspended\"",
"notes": "Suspension is often a precursor to either disable (771) or ransomware deployment. Monitor for follow-on events."
},
{
"platform": "Sigma",
"title": "BitLocker Drive Encryption Suspended",
"rule": "title: BitLocker Drive Encryption Suspended\nstatus: stable\nlogsource:\n product: windows\n service: bitlocker\ndetection:\n selection:\n EventID: 776\ncondition: selection\nfalsepositives:\n - Authorized BitLocker management (BIOS updates, TPM operations)\n - IT administrative operations\nlevel: high",
"notes": "Correlate with EID 771 (disable) and endpoint process events for ransomware pre-staging chain detection."
}
],
"lastReviewed": "2026-04-12"
}
]
}