Suspicious BitLocker Access Agent Update Utility Execution

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the execution of the BitLocker Access Agent Update Utility which is not a common parent process for other processes.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Process started" AND ( PARENTPROCESSNAME endswith "\baaupdate.exe" AND ( PROCESSNAME endswith "\bitsadmin.exe,\cmd.exe,\cscript.exe,\mshta.exe,\powershell_ise.exe,\powershell.exe,\regsvr32.exe,\rundll32.exe,\schtasks.exe,\wmic.exe,\wscript.exe" OR ORIGINALFILENAME contains "bitsadmin.exe,cmd.exe,cscript.exe,mshta.exe,powershell_ise.exe,powershell.exe,regsvr32.exe,rundll32.exe,schtasks.exe,wmic.exe,wscript.exe" )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)