LoFP / legitimate bluetooth services in windows are system services located in system32. any bluetoothservice created outside of system directories is highly suspicious. however, false positives may occur if: 1. third-party bluetooth software installs services in program files (excluded by this detection) 2. development or testing environments create test services the detection specifically targets user-writable directories (appdata, temp) which are strong indicators of malicious activity. allowlist known-good third-party bluetooth software installation paths if needed.

Techniques

• T1036
• T1543.003

Sample rules

Windows Bluetooth Service Installed From Uncommon Location

• source: splunk
• technicques:
  • T1543.003
  • T1036

Description

Identifies the creation of a Windows service named “BluetoothService” with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named “BluetoothService” pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.

Detection logic

`wineventlog_system`
EventCode=7045
ServiceName IN (
    "BluetoothService",
    "Bluetooth Service"
)
ImagePath IN (
    "*\\AppData\\*",
    "*\\ProgramData\\*",
    "*\\Temp\\*",
    "*\\Users\\*\\Bluetooth\\*"
)

| stats count min(_time) as firstTime max(_time) as lastTime
  by Computer ServiceName ImagePath ServiceType StartType UserID

| rename Computer as dest
         UserID as user_id

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_bluetooth_service_installed_from_uncommon_location_filter`