Detectionlowtest

BitLockerTogo.EXE Execution

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Josh Nickels, mttaggartCreated Thu Jul 117f2376f9-42ee-4dfc-9360-fecff9a88fc8windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\BitLockerToGo.exe'
    condition: selection

False Positives

Legitimate usage of BitLockerToGo.exe to encrypt portable devices.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

7f2376f9-42ee-4dfc-9360-fecff9a88fc8

Status

test

Level

low

Type

Detection

Created

Thu Jul 11

Author

Josh Nickels, mttaggart

Path

rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub