Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Sigma rule (View on GitHub)
1title: Suspicious BitLocker Access Agent Update Utility Execution
2id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
3related:
4 - id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
5 type: similar
6status: experimental
7description: |
8 Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
9 Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
10references:
11 - https://github.com/rtecCyberSec/BitlockMove
12author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-10-18
14tags:
15 - attack.defense-evasion
16 - attack.t1218
17 - attack.lateral-movement
18 - attack.t1021.003
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\baaupdate.exe'
25 Image|endswith:
26 - '\bitsadmin.exe'
27 - '\cmd.exe'
28 - '\cscript.exe'
29 - '\mshta.exe'
30 - '\powershell_ise.exe'
31 - '\powershell.exe'
32 - '\regsvr32.exe'
33 - '\rundll32.exe'
34 - '\schtasks.exe'
35 - '\wmic.exe'
36 - '\wscript.exe'
37 condition: selection
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- BaaUpdate.exe Suspicious DLL Load
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
- WannaCry Ransomware Activity