Detectionhighexperimental

BaaUpdate.exe Suspicious DLL Load

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Oct 186e8fe0a8-ba0b-4a93-8f9e-82657e7a5984windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0008 · Lateral Movement

Techniques

T1218 · System Binary Proxy Execution

Sub-techniques

T1021.003 · Distributed Component Object Model

Related Rules

SimilarDetectionhigh

Suspicious BitLocker Access Agent Update Utility Execution

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984

Status

experimental

Level

high

Type

Detection

Created

Sat Oct 18

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml

Raw Tags

attack.defense-evasionattack.t1218attack.lateral-movementattack.t1021.003

View on GitHub