Detectionhighexperimental

Suspicious BitLocker Access Agent Update Utility Execution

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Oct 189f38c1db-e2ae-40bf-81d0-5b68f73fb512windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\baaupdate.exe'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0008 · Lateral Movement

Techniques

T1218 · System Binary Proxy Execution

Sub-techniques

T1021.003 · Distributed Component Object Model

Related Rules

SimilarDetectionhigh

BaaUpdate.exe Suspicious DLL Load

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9f38c1db-e2ae-40bf-81d0-5b68f73fb512

Status

experimental

Level

high

Type

Detection

Created

Sat Oct 18

Author

andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml

Raw Tags

attack.defense-evasionattack.t1218attack.lateral-movementattack.t1021.003

View on GitHub