BaaUpdate.exe Suspicious DLL Load

 1title: BaaUpdate.exe Suspicious DLL Load
 2id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
 3related:
 4    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
 5      type: similar
 6status: experimental
 7description: |
 8    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
 9    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
10    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.    
11references:
12    - https://github.com/rtecCyberSec/BitlockMove
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-10-18
15tags:
16    - attack.defense-evasion
17    - attack.t1218
18    - attack.lateral-movement
19    - attack.t1021.003
20logsource:
21    category: image_load
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\BaaUpdate.exe'
26        ImageLoaded|endswith: '.dll'
27        ImageLoaded|contains:
28            - ':\Perflogs\'
29            - ':\Users\Default\'
30            - ':\Users\Public\'
31            - ':\Windows\Temp\'
32            - '\AppData\Local\Temp\'
33            - '\AppData\Roaming\'
34            - '\Contacts\'
35            - '\Favorites\'
36            - '\Favourites\'
37            - '\Links\'
38            - '\Music\'
39            - '\Pictures\'
40            - '\ProgramData\'
41            - '\Temporary Internet'
42            - '\Videos\'
43    condition: selection
44falsepositives:
45    - Unknown
46level: high