BitLockerTogo.EXE Execution

Rule Info

Name
BitLockerTogo.EXE Execution
Author
Josh Nickels, mttaggart
Description
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Date
2024-07-11 00:00:00
Modified
None
Id
7f2376f9-42ee-4dfc-9360-fecff9a88fc8
Tags
attack.defense-evasion attack.t1218 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Josh
Merge PR #4902 from @joshnck - Add `BitlockerTogo.EXE Execution`
2024-07-11