Suspicious BitLocker Access Agent Update Utility Execution

Title: Suspicious BitLocker Access Agent Update Utility Execution
Status: experimental
Description:Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
References:
  -https://github.com/rtecCyberSec/BitlockMove
Author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-10-18
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.t1218'
• -'attack.lateral-movement'
• -'attack.t1021.003'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection:
    ParentImage|endswith: '\baaupdate.exe'
    Image|endswith:
      -'\bitsadmin.exe'
      -'\cmd.exe'
      -'\cscript.exe'
      -'\mshta.exe'
      -'\powershell_ise.exe'
      -'\powershell.exe'
      -'\regsvr32.exe'
      -'\rundll32.exe'
      -'\schtasks.exe'
      -'\wmic.exe'
      -'\wscript.exe'

  condition:selection
Falsepositives:
  -Unknown
Level: high