This artifact gets all Bitlocker volumes using PowerShell, including the recovery password.
name: Windows.Sys.BitLocker
author: Zane Gittins
description: |
This artifact gets all Bitlocker volumes using PowerShell, including the recovery password.
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET PowershellScript = '''$Results = @()
$BitlockerVolumes = Get-BitLockerVolume
$BitlockerVolumes |
ForEach-Object {
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
# Only add results with valid recovery keys.
if ($RecoveryKey.Length -gt 5) {
$_ | Add-Member -MemberType NoteProperty -Name "RecoveryPassword" -Value $RecoveryKey
$Results += $_
}
}
return ConvertTo-Json -InputObject @($Results)
'''
SELECT * FROM foreach(
row={
SELECT Stdout FROM execve(argv=["Powershell", "-ExecutionPolicy",
"unrestricted", "-c", PowershellScript], length=1000000)
}, query={
SELECT * FROM parse_json_array(data=Stdout)
})