BitLockerTogo.EXE Execution

Rule Info

Name
BitLockerTogo.EXE Execution
Author
Josh Nickels, mttaggart
Description
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Reference
https://tria.ge/240521-ynezpagf56/behavioral1
Date
2024-07-11 00:00:00
Modified
None
Id
7f2376f9-42ee-4dfc-9360-fecff9a88fc8
Tags
attack.defense-evasion attack.t1218 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7f2376f9-42ee-4dfc-9360-fecff9a88fc8

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Josh
Merge PR #4902 from @joshnck - Add `BitlockerTogo.EXE Execution`
2024-07-11
784ae8d01
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022