BaaUpdate.exe Suspicious DLL Load

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution
Lateral Movement	`T1021.003` Remote Services: Distributed Component Object Model

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `selection`

or:
ImageLoaded|contains: ':\Perflogs\'
ImageLoaded|contains: ':\Users\Default\'
ImageLoaded|contains: ':\Users\Public\'
ImageLoaded|contains: ':\Windows\Temp\'
ImageLoaded|contains: '\AppData\Local\Temp\'
ImageLoaded|contains: '\AppData\Roaming\'
ImageLoaded|contains: '\Contacts\'
ImageLoaded|contains: '\Favorites\'
ImageLoaded|contains: '\Favourites\'
ImageLoaded|contains: '\Links\'
ImageLoaded|contains: '\Music\'
ImageLoaded|contains: '\Pictures\'
ImageLoaded|contains: '\ProgramData\'
ImageLoaded|contains: '\Temporary Internet'
ImageLoaded|contains: '\Videos\'
Image|endswith: '\BaaUpdate.exe'
ImageLoaded|endswith: .dll

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.