This note documents detection patterns related to BitLocker Activity within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
BitLocker-API	24577	BitLocker enabled	Critical	Volume encryption initiated
BitLocker-API	24579	BitLocker disabled	Critical	Decryption or protection removal
BitLocker-API	24635	Protection suspended	Critical	Often precursor to tampering
BitLocker-API	24620	Recovery key used	Critical	High-value DFIR signal
BitLocker-API	24588	Volume unlocked	High	Access to encrypted data
BitLocker-API	24587	Key protector removed	Critical	Access control change
BitLocker-API	24586	Key protector added	Critical	Persistence / access method
Sysmon	1	Process creation	Critical	Detect manage-bde / PowerShell usage
Security	4688	Process creation	Critical	Native logging fallback
Sysmon	13	Registry set	High	Policy tampering

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
BitLocker suspended before action	24635 before execution	Critical	Pre-attack prep
Recovery key usage	24620 event	Critical	Unauthorized access
manage-bde execution	CLI usage	High	Admin or attacker
PowerShell BitLocker commands	Enable/Disable/Suspend	Critical	Scripted activity
Registry FVE changes	Policy weakened	Critical	Security downgrade
Unlock after recovery retrieval	AD / Entra correlation	Critical	Strong compromise signal

Common Tools

Tool	Usage
manage-bde.exe	Native BitLocker control
PowerShell	BitLocker cmdlets / encoded commands
cmd.exe	Execution wrapper
bcdedit.exe	Boot manipulation
reagentc.exe	Recovery config
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $secureString	Powershell commands

Relevant Artifacts

BitLocker Event Logs:
- Microsoft-Windows-BitLocker-API/Management
- Microsoft-Windows-BitLocker-Driver/Operational
Sysmon Event IDs 1, 13
Security Event ID 4688
Registry:
- HKLM\SOFTWARE\Policies\Microsoft\FVE
Prefetch for:
- manage-bde.exe
- powershell.exe
PowerShell history
AD / Entra BitLocker recovery logs

MITRE ATT&CK References

T1070 Indicator Removal on Host
T1070.006 Timestomp
T1562 Impair Defenses

Decision Tree

What happened?
- Enabled
- Disabled
- Suspended
- Recovery used
Which process triggered it?
- manage-bde
- PowerShell
- Unknown
Who performed it?
- Admin
- SYSTEM
- Suspicious user
Timing suspicious?
- Before execution
- Before log clear
- After compromise
Correlate:
- Process lineage
- Registry changes
- Recovery access
Scope:
- Single machine
- Multiple systems
- Domain-wide

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where Process has "manage-bde"
| project TimeGenerated, Computer, Account, Process

Sysmon
| where EventID == 1
| where CommandLine has_any ("manage-bde","Enable-BitLocker","Disable-BitLocker","Suspend-BitLocker")
| project TimeGenerated, Computer, User, CommandLine

EQL

process where process.name == "manage-bde.exe"

sequence by host.name with maxspan=5m
  [ process where process.name in ("powershell.exe","cmd.exe") ]
  [ process where process.command_line like "*BitLocker*" ]

Sigma

title: BitLocker Activity Detection
id: 7c9f2d1e-bitlocker-activity
status: experimental
description: Detects BitLocker administrative activity
author: Vergil
date: 2026-04-05
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - 'manage-bde'
      - 'Enable-BitLocker'
      - 'Disable-BitLocker'
      - 'Suspend-BitLocker'
  condition: selection
fields:
  - CommandLine
falsepositives:
  - Legitimate admin usage
level: high
tags:
  - attack.defense_evasion

Snort

alert tcp any any -> any 389 (msg:"BitLocker Recovery Key LDAP Access"; content:"msFVE-RecoveryInformation"; nocase; sid:900100; rev:1;)

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Audit logs	Enable BitLocker logging	Critical	Visibility
Sysmon	Track process execution	Critical	Attribution
Registry monitoring	Watch FVE keys	High	Policy tampering
Key access control	Restrict recovery keys	Critical	Prevent abuse
SIEM correlation	Detect chained behavior	Critical	Real detection