Name:Windows Bluetooth Service Installed From Uncommon Location id:f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89 version:1 date:2026-03-13 author:Michael Haag, Splunk status:production type:Anomaly Description:Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth.
This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory.
While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32.
Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.
Data_source:
-Windows Event Log System 7045
search:`wineventlog_system` EventCode=7045 ServiceName IN ( "BluetoothService", "Bluetooth Service" ) ImagePath IN ( "*\\AppData\\*", "*\\ProgramData\\*", "*\\Temp\\*", "*\\Users\\*\\Bluetooth\\*" ) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ServiceName ImagePath ServiceType StartType UserID | rename Computer as dest UserID as user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bluetooth_service_installed_from_uncommon_location_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type.
Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events.
known_false_positives:Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if:
1. Third-party Bluetooth software installs services in Program Files (excluded by this detection)
2. Development or testing environments create test services
The detection specifically targets user-writable directories (AppData, Temp) which are strong indicators of malicious activity. Allowlist known-good third-party Bluetooth software installation paths if needed.
References: -https://attack.mitre.org/techniques/T1543/003/ -https://attack.mitre.org/techniques/T1036/ -https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Lotus Blossom Chrysalis Backdoor' asset_type:Endpoint mitre_attack_id: - 'T1543.003' - 'T1036' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint cve:
