detection.wiki

Detection rules › Sigma

Suspicious BitLocker Access Agent Update Utility Execution

Severity
high
Author
andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution
Lateral MovementT1021.003 Remote Services: Distributed Component Object Model

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\wscript.exe'
ParentImage|endswith: '\baaupdate.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \bitsadmin.exe corpus 23 (sigma 23)
  • \cmd.exe corpus 92 (sigma 92)
  • \cscript.exe corpus 64 (sigma 64)
  • \mshta.exe corpus 57 (sigma 57)
  • \powershell.exe corpus 143 (sigma 143)
  • \powershell_ise.exe corpus 27 (sigma 27)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \rundll32.exe corpus 76 (sigma 76)
  • \schtasks.exe corpus 45 (sigma 45)
  • \wmic.exe corpus 37 (sigma 37)
  • \wscript.exe corpus 64 (sigma 64)
ParentImageends_with
  • \baaupdate.exe