BaaUpdate.exe Suspicious DLL Load
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Image Loaded" AND (PROCESSNAME endswith "\BaaUpdate.exe" AND (OBJECTNAME endswith ".dll" OR OBJECTNAME contains ":\Perflogs,:\Users\Default,:\Users\Public,:\Windows\Temp,\AppData\Local\Temp,\AppData\Roaming,\Contacts,\Favorites,\Favourites,\Links,\Music,\Pictures,\ProgramData,\Temporary Internet,\Videos"))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME,Action1.SIGNATURE,Action1.SIGNATURESTATUS
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


