Rule Info
Name
BitLockerTogo.EXE Execution
Author
Josh Nickels, mttaggart
Description
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Date
2024-07-11 00:00:00
Modified
None
Id
7f2376f9-42ee-4dfc-9360-fecff9a88fc8
Tags
attack.defense-evasion attack.t1218 DEMO
Type
Community Rule
Link to Public Repo