Manage-bde.wsf

Script for managing BitLocker

Paths

• C:\Windows\System32\manage-bde.wsf

Commands

Execute

Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.

Use case: Proxy execution from script

Privileges: User

set comspec={PATH_ABSOLUTE:.exe} & cscript c:\windows\system32\manage-bde.wsf

Execute

Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.

Use case: Proxy execution from script

Privileges: User

copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml
• IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations

Resources

• https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
• https://twitter.com/bohops/status/980659399495741441
• https://twitter.com/JohnLaTwC/status/1223292479270600706