Suspicious BitLocker Access Agent Update Utility Execution

Rule Info

Name
Suspicious BitLocker Access Agent Update Utility Execution
Author
andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Reference
https://github.com/rtecCyberSec/BitlockMove
Date
2025-10-18 00:00:00
Modified
None
Id
9f38c1db-e2ae-40bf-81d0-5b68f73fb512
Tags
attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1021.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9f38c1db-e2ae-40bf-81d0-5b68f73fb512

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5533 from @swachchhanda000 - fix: github reported issues
2025-10-18
de97c8322
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022