Suspicious BitLocker Access Agent Update Utility Execution

### Description of the Idea of the Rule

```
title: Suspicious BitLocker Access Agent Update Utility Execution
description: This analytic looks for suspicious BitLocker Access Agent Update Utility Execution. 
tags:
    - attack.t1574.002
author: @andrewdanis
references:
    - https://github.com/rtecCyberSec/BitlockMove
logsource:
    category: process_creation
    product: windows
detection:
    condition: 'Section_1'
    Section_1:
        ParentImage|endswith: \baaupdate.exe
falsepositives:
  - None noted. baaupdate seems to never legitimately spawn as a parent process.
level: high
status: test
```

### Public References / Example Event Log

https://github.com/rtecCyberSec/BitlockMove


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Suspicious BitLocker Access Agent Update Utility Execution #5502

Description of the Idea of the Rule

Public References / Example Event Log

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Suspicious BitLocker Access Agent Update Utility Execution #5502

Description

Description of the Idea of the Rule

Public References / Example Event Log

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions