manage-bde.exe

File Path: C:\windows\system32\manage-bde.exe
Description: BitLocker Drive Encryption: Configuration Tool

Hashes

Type	Hash
MD5	`F7E627DDF4C3B09BDB8954E02B4A375C`
SHA1	`2EA9A0B98C484ACB8F2A10146AFF965BF2E3F3C4`
SHA256	`CB4B9AF3F8127E7A7BC7F5364CC8AEF9E2315CC153BB651ABD2E8A9CBFBFD65A`
SHA384	`48862144DA9666442607C77D812B33672FC9CB3CF75370BE8F59432C8542D296E09332F90B143EC3DD34976DDD56B115`
SHA512	`B1539F3F9EB7855D6A7C78986ED8CC8AB2D9D177CE2D658B85B13BE409A24AC2FD55365FD3C6C0A49438012692AA1C29E5961C0A11CD89A17DDB5A50D0987A54`
SSDEEP	`6144:Z3x5ClQ1RGJbMsTt063tVs7nyatGt+SYF:IVMsZH+S+`

Signature

Status: The file C:\windows\system32\manage-bde.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: manage-bde.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\baaupdate.exe	63
C:\WINDOWS\system32\baaupdate.exe	52
C:\windows\system32\baaupdate.exe	54
C:\WINDOWS\system32\baaupdate.exe	58
C:\Windows\system32\baaupdate.exe	63
C:\WINDOWS\system32\BdeHdCfg.exe	55
C:\Windows\system32\BdeHdCfg.exe	58
C:\WINDOWS\system32\BdeHdCfg.exe	55
C:\Windows\system32\BdeHdCfg.exe	52
C:\windows\system32\BdeHdCfg.exe	55
C:\Windows\system32\bdeunlock.exe	36
C:\Windows\system32\bdeunlock.exe	35
C:\WINDOWS\system32\bdeunlock.exe	38
C:\WINDOWS\system32\bdeunlock.exe	41
C:\windows\system32\bdeunlock.exe	46
C:\Windows\system32\bdeunlock.exe	49
C:\WINDOWS\system32\BitLockerWizard.exe	55
C:\Windows\system32\BitLockerWizard.exe	60
C:\windows\system32\BitLockerWizard.exe	55
C:\WINDOWS\system32\BitLockerWizard.exe	60
C:\Windows\system32\BitLockerWizard.exe	60
C:\Windows\system32\BitLockerWizard.exe	55
C:\Windows\system32\BitLockerWizardElev.exe	58
C:\Windows\system32\BitLockerWizardElev.exe	54
C:\WINDOWS\system32\BitLockerWizardElev.exe	54
C:\Windows\system32\BitLockerWizardElev.exe	54
C:\windows\system32\BitLockerWizardElev.exe	61
C:\WINDOWS\system32\BitLockerWizardElev.exe	58
C:\Windows\system32\fvecpl.dll	40
C:\Windows\system32\fvenotify.exe	54
C:\WINDOWS\system32\fvenotify.exe	50
C:\windows\system32\fvenotify.exe	50
C:\WINDOWS\system32\fvenotify.exe	54
C:\Windows\system32\fvenotify.exe	57
C:\WINDOWS\system32\fveprompt.exe	47
C:\Windows\system32\fveprompt.exe	50
C:\Windows\system32\fveprompt.exe	54
C:\WINDOWS\system32\fveprompt.exe	54
C:\windows\system32\fveprompt.exe	55
C:\Windows\system32\fveui.dll	46
C:\WINDOWS\system32\manage-bde.exe	50
C:\Windows\system32\manage-bde.exe	50
C:\Windows\system32\manage-bde.exe	43
C:\WINDOWS\system32\manage-bde.exe	44
C:\Windows\system32\repair-bde.exe	54
C:\WINDOWS\system32\repair-bde.exe	52
C:\WINDOWS\system32\repair-bde.exe	52
C:\windows\system32\repair-bde.exe	61
C:\Windows\system32\repair-bde.exe	52

Possible Misuse

The following table contains possible examples of manage-bde.exe being misused. While manage-bde.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_manage_bde_lolbas.yml	`title: Suspicious Usage of the Manage-bde.wsf Script`	DRL 1.0
sigma	proc_creation_win_manage_bde_lolbas.yml	`description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script`	DRL 1.0
sigma	proc_creation_win_manage_bde_lolbas.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml`	DRL 1.0
sigma	proc_creation_win_manage_bde_lolbas.yml	`- 'manage-bde.wsf'`	DRL 1.0
LOLBAS	Manage-bde.yml	`Name: Manage-bde.wsf`
LOLBAS	Manage-bde.yml	`- Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf`
LOLBAS	Manage-bde.yml	`Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.`
LOLBAS	Manage-bde.yml	`- Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf`
LOLBAS	Manage-bde.yml	`Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.`
LOLBAS	Manage-bde.yml	`- Path: C:\Windows\System32\manage-bde.wsf`
LOLBAS	Manage-bde.yml	`- IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations`
atomic-red-team	index.md	- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1216.md	- Atomic Test #2 - manage-bde.wsf Signed Script Command Execution	MIT License. © 2018 Red Canary
atomic-red-team	T1216.md	## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution	MIT License. © 2018 Red Canary
atomic-red-team	T1216.md	Executes the signed manage-bde.wsf script with options to execute an arbitrary command.	MIT License. © 2018 Red Canary
atomic-red-team	T1216.md	cscript %windir%\System32\manage-bde.wsf	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

manage-bde

Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.

[!NOTE] This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item.

Syntax

manage-bde [-status] [â€“on] [â€“off] [â€“pause] [â€“resume] [â€“lock] [â€“unlock] [â€“autounlock] [â€“protectors] [â€“tpm]
[â€“setidentifier] [-forcerecovery] [â€“changepassword] [â€“changepin] [â€“changekey] [-keypackage] [â€“upgrade] [-wipefreespace] [{-?|/?}] [{-help|-h}]

Parameters

Parameter	Description
manage-bde status	Provides information about all drives on the computer, whether or not they are BitLocker-protected.
manage-bde on	Encrypts the drive and turns on BitLocker.
manage-bde off	Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
manage-bde pause	Pauses encryption or decryption.
manage-bde resume	Resumes encryption or decryption.
manage-bde lock	Prevents access to BitLocker-protected data.
manage-bde unlock	Allows access to BitLocker-protected data with a recovery password or a recovery key.
manage-bde autounlock	Manages automatic unlocking of data drives.
manage-bde protectors	Manages protection methods for the encryption key.
manage-bde tpm	Configures the computer’s Trusted Platform Module (TPM). This command isn’t supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.
manage-bde setidentifier	Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
manage-bde ForceRecovery	Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
manage-bde changepassword	Modifies the password for a data drive.
manage-bde changepin	Modifies the PIN for an operating system drive.
manage-bde changekey	Modifies the startup key for an operating system drive.
manage-bde KeyPackage	Generates a key package for a drive.
manage-bde upgrade	Upgrades the BitLocker version.
manage-bde WipeFreeSpace	Wipes the free space on a drive.
-? or /?	Displays brief Help at the command prompt.
-help or -h	Displays complete Help at the command prompt.