BaaUpdate.exe Suspicious DLL Load

Title: BaaUpdate.exe Suspicious DLL Load
Status: experimental
Description:Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
References:
  -https://github.com/rtecCyberSec/BitlockMove
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-10-18
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.t1218'
• -'attack.lateral-movement'
• -'attack.t1021.003'

Logsource:

• category: image_load
• product: windows

Detection:
  selection:
    Image|endswith: '\BaaUpdate.exe'
    ImageLoaded|endswith: '.dll'
    ImageLoaded|contains:
      -':\Perflogs\'
      -':\Users\Default\'
      -':\Users\Public\'
      -':\Windows\Temp\'
      -'\AppData\Local\Temp\'
      -'\AppData\Roaming\'
      -'\Contacts\'
      -'\Favorites\'
      -'\Favourites\'
      -'\Links\'
      -'\Music\'
      -'\Pictures\'
      -'\ProgramData\'
      -'\Temporary Internet'
      -'\Videos\'

  condition:selection
Falsepositives:
  -Unknown
Level: high