Google Workspace BitLocker Setting Disabled
Detection of Google Workspace administrators disabling the BitLocker setting, potentially allowing adversaries with valid account access to decrypt sensitive data on managed Windows devices.
This threat brief focuses on the detection of unauthorized BitLocker disabling within Google Workspace environments. Google Workspace administrators with Windows device management enabled have the ability to manage BitLocker drive encryption on registered Windows endpoints. An adversary who has gained valid account access to a Google Workspace administrator account may attempt to disable BitLocker on managed Windows devices. This action decrypts data at rest and makes it accessible, increasing the risk of sensitive data exposure. This activity is typically logged as a "CHANGE_APPLICATION_SETTING" event within the Google Workspace admin audit logs. Defenders should monitor for unexpected or unauthorized changes to BitLocker settings. The reported Google Workspace event lag times ranging from minutes up to 3 days between the time of an event's occurrence should be considered.
Attack Chain
- The adversary gains valid credentials for a Google Workspace administrator account.
- The adversary authenticates to the Google Workspace admin console.
- The adversary navigates to the device management section of the console.
- The adversary identifies a target Windows device that is managed through Google Workspace and has BitLocker enabled.
- The adversary modifies the BitLocker setting for the target device, setting the new value to "Disabled".
- This action triggers a "CHANGE_APPLICATION_SETTING" event within the Google Workspace admin audit logs, specifically targeting the BitLocker setting.
- The endpoint decrypts the data, allowing unauthorized access.
Impact
The successful disabling of BitLocker can lead to the unauthorized access of sensitive data stored on Windows endpoints managed by Google Workspace. This can result in data breaches, compliance violations, and reputational damage. The severity of the impact depends on the type and amount of data stored on the affected devices. If BitLocker is disabled on a large number of devices, the impact can be widespread and significant.
Recommendation
- Deploy the Sigma rule "Google Workspace Bitlocker Setting Disabled" to detect unauthorized BitLocker disabling events in your Google Workspace environment.
- Review the permissions assigned to Google Workspace users to adhere to the principle of least privilege.
- Reduce the
var.intervalsetting of the Google Workspace Filebeat module to minimize event lag and improve detection timeliness (reference: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html). - Investigate any alerts generated by the Sigma rule by checking the Google Workspace admin console audit logs for related events involving the affected user (Reporting > Audit and Investigation > Device logs).
Detection coverage 2
Google Workspace Bitlocker Setting Disabled
mediumDetects when a Google Workspace administrator disables the BitLocker setting for managed Windows devices.
Google Workspace Admin Activity - Device Sync Event
lowDetects Google Workspace Device sync events, potentially indicating account compromise.
Detection queries are available on the platform. Get full rules →