Name:Windows BitLockerToGo with Network Activity id:14e3a089-cc23-4f4d-a770-26e44a31fbac version:1 date:2024-11-13 author:Michael Haag, Nasreddine Bencherchali, Splunk status:production type:Hunting Description:The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior. Data_source:
search:`sysmon` EventCode=22 process_name="bitlockertogo.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_with_network_activity_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, the detection is designed to flag unusual execution patterns that deviate from standard usage. Filtering may be required to reduce false positives, once confirmed - move to TTP. References: -https://any.run/report/5e9ba24639f70787e56f10a241271ae819ef9c573edb22b9eeade7cb40a2df2a/66f16c7b-2cfc-40c5-91cc-f1cbe9743fa3 -https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ drilldown_searches:
: tags: analytic_story: - 'Lumma Stealer' asset_type:Endpoint confidence:80 impact:70 message:BitLockerToGo.exe was executed with network activity on $dest$. mitre_attack_id: - 'T1218' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'process_name' - 'process_guid' - 'Computer' - 'query' - 'answer' - 'QueryResults' - 'QueryStatus' - 'dest' risk_score:70 security_domain:endpoint
