BaaUpdate.exe Suspicious DLL Load

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Image Loaded" AND (PROCESSNAME endswith "\BaaUpdate.exe" AND (OBJECTNAME endswith ".dll" OR OBJECTNAME contains ":\Perflogs,:\Users\Default,:\Users\Public,:\Windows\Temp,\AppData\Local\Temp,\AppData\Roaming,\Contacts,\Favorites,\Favourites,\Links,\Music,\Pictures,\ProgramData,\Temporary Internet,\Videos")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME,Action1.SIGNATURE,Action1.SIGNATURESTATUS

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel (Nextron Systems)