manage-bde.exe

  • File Path: C:\windows\system32\manage-bde.exe
  • Description: BitLocker Drive Encryption: Configuration Tool

Hashes

Type Hash
MD5 F7E627DDF4C3B09BDB8954E02B4A375C
SHA1 2EA9A0B98C484ACB8F2A10146AFF965BF2E3F3C4
SHA256 CB4B9AF3F8127E7A7BC7F5364CC8AEF9E2315CC153BB651ABD2E8A9CBFBFD65A
SHA384 48862144DA9666442607C77D812B33672FC9CB3CF75370BE8F59432C8542D296E09332F90B143EC3DD34976DDD56B115
SHA512 B1539F3F9EB7855D6A7C78986ED8CC8AB2D9D177CE2D658B85B13BE409A24AC2FD55365FD3C6C0A49438012692AA1C29E5961C0A11CD89A17DDB5A50D0987A54
SSDEEP 6144:Z3x5ClQ1RGJbMsTt063tVs7nyatGt+SYF:IVMsZH+S+

Signature

  • Status: The file C:\windows\system32\manage-bde.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: manage-bde.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\baaupdate.exe 63
C:\WINDOWS\system32\baaupdate.exe 52
C:\windows\system32\baaupdate.exe 54
C:\Windows\system32\baaupdate.exe 63
C:\Windows\system32\BdeHdCfg.exe 58
C:\WINDOWS\system32\BdeHdCfg.exe 55
C:\Windows\system32\BdeHdCfg.exe 52
C:\windows\system32\BdeHdCfg.exe 55
C:\Windows\system32\bdeunlock.exe 36
C:\Windows\system32\bdeunlock.exe 35
C:\WINDOWS\system32\bdeunlock.exe 38
C:\windows\system32\bdeunlock.exe 46
C:\Windows\system32\BitLockerWizard.exe 60
C:\windows\system32\BitLockerWizard.exe 55
C:\WINDOWS\system32\BitLockerWizard.exe 60
C:\Windows\system32\BitLockerWizard.exe 55
C:\Windows\system32\BitLockerWizardElev.exe 58
C:\Windows\system32\BitLockerWizardElev.exe 54
C:\WINDOWS\system32\BitLockerWizardElev.exe 54
C:\windows\system32\BitLockerWizardElev.exe 61
C:\Windows\system32\fvecpl.dll 40
C:\Windows\system32\fvenotify.exe 54
C:\windows\system32\fvenotify.exe 50
C:\WINDOWS\system32\fvenotify.exe 54
C:\Windows\system32\fvenotify.exe 57
C:\WINDOWS\system32\fveprompt.exe 47
C:\Windows\system32\fveprompt.exe 50
C:\Windows\system32\fveprompt.exe 54
C:\windows\system32\fveprompt.exe 55
C:\Windows\system32\fveui.dll 46
C:\WINDOWS\system32\manage-bde.exe 50
C:\Windows\system32\manage-bde.exe 50
C:\Windows\system32\manage-bde.exe 43
C:\Windows\system32\repair-bde.exe 54
C:\WINDOWS\system32\repair-bde.exe 52
C:\windows\system32\repair-bde.exe 61
C:\Windows\system32\repair-bde.exe 52

Possible Misuse

The following table contains possible examples of manage-bde.exe being misused. While manage-bde.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Manage-bde.yml Name: Manage-bde.wsf  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.  
LOLBAS Manage-bde.yml - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.  
LOLBAS Manage-bde.yml - Path: C:\Windows\System32\manage-bde.wsf  
LOLBAS Manage-bde.yml - IOC: Manage-bde.wsf should normally not be invoked by a user  
atomic-red-team index.md - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1216.md - Atomic Test #2 - manage-bde.wsf Signed Script Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md ## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md Executes the signed manage-bde.wsf script with options to execute an arbitrary command. MIT License. © 2018 Red Canary
atomic-red-team T1216.md cscript %windir%\System32\manage-bde.wsf MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


manage-bde

Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.

[!NOTE] This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item.

Syntax

manage-bde [-status] [–on] [–off] [–pause] [–resume] [–lock] [–unlock] [–autounlock] [–protectors] [–tpm]
[–setidentifier] [-forcerecovery] [–changepassword] [–changepin] [–changekey] [-keypackage] [–upgrade] [-wipefreespace] [{-?|/?}] [{-help|-h}]

Parameters

Parameter Description
manage-bde status Provides information about all drives on the computer, whether or not they are BitLocker-protected.
manage-bde on Encrypts the drive and turns on BitLocker.
manage-bde off Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
manage-bde pause Pauses encryption or decryption.
manage-bde resume Resumes encryption or decryption.
manage-bde lock Prevents access to BitLocker-protected data.
manage-bde unlock Allows access to BitLocker-protected data with a recovery password or a recovery key.
manage-bde autounlock Manages automatic unlocking of data drives.
manage-bde protectors Manages protection methods for the encryption key.
manage-bde tpm Configures the computer’s Trusted Platform Module (TPM). This command isn’t supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.
manage-bde setidentifier Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
manage-bde ForceRecovery Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
manage-bde changepassword Modifies the password for a data drive.
manage-bde changepin Modifies the PIN for an operating system drive.
manage-bde changekey Modifies the startup key for an operating system drive.
manage-bde KeyPackage Generates a key package for a drive.
manage-bde upgrade Upgrades the BitLocker version.
manage-bde WipeFreeSpace Wipes the free space on a drive.
-? or /? Displays brief Help at the command prompt.
-help or -h Displays complete Help at the command prompt.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.