BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Sigma rule (View on GitHub)
1title: BitLockerTogo.EXE Execution
2id: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8
3status: experimental
4description: |
5 Detects the execution of "BitLockerToGo.EXE".
6 BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
7 This is a rarely used application and usage of it at all is worth investigating.
8 Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
9references:
10 - https://tria.ge/240521-ynezpagf56/behavioral1
11 - https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
12 - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
13 - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
14author: Josh Nickels, mttaggart
15date: 2024-07-11
16tags:
17 - attack.defense-evasion
18 - attack.t1218
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\BitLockerToGo.exe'
25 condition: selection
26falsepositives:
27 - Legitimate usage of BitLockerToGo.exe to encrypt portable devices.
28level: low
References
-
Check this lumma report malware sample 40654752138655a2f2fc6c9107fefb2f840d89b5d2d2f59941d21ea119cecbcf, with a score of 10 out of 10.
Read More -
Online sandbox report for Setup_v1.0.5.exe, tagged as lumma, stealer, exfiltration, verdict: Malicious activity
Read More -
-
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via IMEWDBLD.EXE