From 387a52c6d85b09d11b9c73cb1257e408deba1e89 Mon Sep 17 00:00:00 2001 From: ali AtashGar Date: Tue, 25 Nov 2025 22:37:08 +0000 Subject: [PATCH 1/6] Add dataset for T1546.015 BitLocker COM Hijacking lateral movement --- .../bitlocker_com_hijacking/.gitattributes | 1 + .../bitlocker_com_hijacking.yml | 23 +++++++++++++++++++ .../windows-security.log | 3 +++ .../windows-system.log | 3 +++ 4 files changed, 30 insertions(+) create mode 100644 datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes create mode 100644 datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml create mode 100644 datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log create mode 100644 datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes new file mode 100644 index 000000000..9d4b5349c --- /dev/null +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes @@ -0,0 +1 @@ +*.log filter=lfs diff=lfs merge=lfs -text diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml new file mode 100644 index 000000000..d21a310cb --- /dev/null +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml @@ -0,0 +1,23 @@ +--- +name: BitLocker COM Hijacking Lateral Movement +id: b8f4c2a1-9e7d-4f3b-8a1c-5d9e7f2b6a3e +version: 1 +date: '2025-11-25' +author: Ali Atashgar (AAtashGar) +type: dataset +description: Simulated Windows Security and System events demonstrating the + BitLocker Network Unlock COM Object Hijacking lateral movement technique + (T1574.015 / T1546.015) using RemoteRegistry service enablement, HKCU CLSID + manipulation, and execution via baaupdate.exe or BdeUISrv.exe. +references: + - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ + - https://github.com/rtecCyberSec/BitlockMove +attack_data: + - file_name: windows-security.log + data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog:Security + - file_name: windows-system.log + data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log + source: WinEventLog:System + sourcetype: WinEventLog:System diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log new file mode 100644 index 000000000..1466f516a --- /dev/null +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a9cf4b18a6383c2baefec1bfab29f561bb3055d2dba9df3062f3f97a81def33 +size 7003 diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log new file mode 100644 index 000000000..bcf004e8b --- /dev/null +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52199fd95101d48968b9683959cd06e894d23f036480253c13862589222c182f +size 1058 From bf2d87ee518442b76b24b4cc63c3afa3f0b95f04 Mon Sep 17 00:00:00 2001 From: ali AtashGar Date: Tue, 25 Nov 2025 23:38:49 +0000 Subject: [PATCH 2/6] fix: update dataset --- .../bitlocker_com_hijacking.yml | 18 ++++++++++++------ .../windows-security.log | 4 ++-- .../bitlocker_com_hijacking/windows-system.log | 4 ++-- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml index d21a310cb..badcedc78 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml @@ -9,15 +9,21 @@ description: Simulated Windows Security and System events demonstrating the BitLocker Network Unlock COM Object Hijacking lateral movement technique (T1574.015 / T1546.015) using RemoteRegistry service enablement, HKCU CLSID manipulation, and execution via baaupdate.exe or BdeUISrv.exe. +environment: NA +directory: bitlocker_com_hijacking +mitre_technique: + - T1546.015 references: - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ - https://github.com/rtecCyberSec/BitlockMove attack_data: - file_name: windows-security.log - data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log - source: WinEventLog:Security - sourcetype: WinEventLog:Security + data: datasets/attack_techniques/T1546.015/ + bitlocker_com_hijacking/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog:Security - file_name: windows-system.log - data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log - source: WinEventLog:System - sourcetype: WinEventLog:System + data: datasets/attack_techniques/T1546.015/ + bitlocker_com_hijacking/windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log index 1466f516a..49281b658 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8a9cf4b18a6383c2baefec1bfab29f561bb3055d2dba9df3062f3f97a81def33 -size 7003 +oid sha256:60f0af77ce8f0e40d115a1e196c5444ea3f024a4a8fcac61775ec1fd6301f879 +size 6334 diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log index bcf004e8b..1fb202679 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:52199fd95101d48968b9683959cd06e894d23f036480253c13862589222c182f -size 1058 +oid sha256:5168356ebbd579b0565d5de536f612f0e9099a2335a80299fe50fbbbd1a52c63 +size 1684 From 9402b9b35a1aa22f8895e240fc8cc82b020c2346 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 26 Nov 2025 12:06:08 +0100 Subject: [PATCH 3/6] Refactor BitLocker COM Hijacking dataset YAML Updated the BitLocker COM Hijacking dataset YAML file to streamline the structure and remove redundant entries. --- .../bitlocker_com_hijacking.yml | 28 ++++++------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml index badcedc78..b3c12d8c6 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml @@ -1,29 +1,17 @@ ---- -name: BitLocker COM Hijacking Lateral Movement +author: Ali Atashgar (AAtashGar) id: b8f4c2a1-9e7d-4f3b-8a1c-5d9e7f2b6a3e -version: 1 date: '2025-11-25' -author: Ali Atashgar (AAtashGar) -type: dataset -description: Simulated Windows Security and System events demonstrating the - BitLocker Network Unlock COM Object Hijacking lateral movement technique - (T1574.015 / T1546.015) using RemoteRegistry service enablement, HKCU CLSID - manipulation, and execution via baaupdate.exe or BdeUISrv.exe. +description: Simulated Windows Security and System events demonstrating the BitLocker Network Unlock COM Object Hijacking lateral movement technique (T1574.015 / T1546.015) using RemoteRegistry service enablement, HKCU CLSID manipulation, and execution via baaupdate.exe or BdeUISrv.exe. environment: NA directory: bitlocker_com_hijacking mitre_technique: - T1546.015 -references: - - https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ - - https://github.com/rtecCyberSec/BitlockMove attack_data: - - file_name: windows-security.log - data: datasets/attack_techniques/T1546.015/ - bitlocker_com_hijacking/windows-security.log + - name: windows-security.log + data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog:Security - - file_name: windows-system.log - data: datasets/attack_techniques/T1546.015/ - bitlocker_com_hijacking/windows-system.log + sourcetype: XmlWinEventLog + - name: windows-system.log + data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog:System + sourcetype: XmlWinEventLog From 7b26fc22e32ca0215f268a80fad3888fd6596b19 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 26 Nov 2025 12:06:17 +0100 Subject: [PATCH 4/6] Delete datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes --- .../T1546.015/bitlocker_com_hijacking/.gitattributes | 1 - 1 file changed, 1 deletion(-) delete mode 100644 datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes deleted file mode 100644 index 9d4b5349c..000000000 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -*.log filter=lfs diff=lfs merge=lfs -text From b5f550fbb97bc06eb3fa2617c2647e61f7fbbb04 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 26 Nov 2025 12:10:42 +0100 Subject: [PATCH 5/6] Update bitlocker_com_hijacking.yml --- .../bitlocker_com_hijacking/bitlocker_com_hijacking.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml index b3c12d8c6..88f92571f 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/bitlocker_com_hijacking.yml @@ -6,12 +6,12 @@ environment: NA directory: bitlocker_com_hijacking mitre_technique: - T1546.015 -attack_data: +datasets: - name: windows-security.log - data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log + path: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - name: windows-system.log - data: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log + path: datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog From 7fbc8388254656ab6a4d80fa9726fedef5861358 Mon Sep 17 00:00:00 2001 From: ali AtashGar Date: Sun, 30 Nov 2025 07:54:39 +0000 Subject: [PATCH 6/6] fix:raw log --- .../T1546.015/bitlocker_com_hijacking/windows-security.log | 4 ++-- .../T1546.015/bitlocker_com_hijacking/windows-system.log | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log index 49281b658..93d13c824 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-security.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:60f0af77ce8f0e40d115a1e196c5444ea3f024a4a8fcac61775ec1fd6301f879 -size 6334 +oid sha256:bb99bf5fb415c94fa697ac1138158028fb03f350df587112c6d715bf43876761 +size 8856 diff --git a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log index 1fb202679..6dc9577a4 100644 --- a/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log +++ b/datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/windows-system.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5168356ebbd579b0565d5de536f612f0e9099a2335a80299fe50fbbbd1a52c63 -size 1684 +oid sha256:5ebb20bfbf74c279370b775db9f2061296c9b0c52bc0092bb987750ef0f1525f +size 1704