splApache-2.0from splunk/security_content
Windows Bluetooth Service Installed From Uncommon Location
Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.
Quality
35
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml
`wineventlog_system`
EventCode=7045
ServiceName IN (
"BluetoothService",
"Bluetooth Service"
)
ImagePath IN (
"*\\AppData\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\*\\Bluetooth\\*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
by Computer ServiceName ImagePath ServiceType StartType UserID
| rename Computer as dest
UserID as user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_bluetooth_service_installed_from_uncommon_location_filter`