Skip to content

Hide Navigation Hide TOC

Suspicious BitLocker Access Agent Update Utility Execution (9f38c1db-e2ae-40bf-81d0-5b68f73fb512)

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious BitLocker Access Agent Update Utility Execution (9f38c1db-e2ae-40bf-81d0-5b68f73fb512) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Suspicious BitLocker Access Agent Update Utility Execution (9f38c1db-e2ae-40bf-81d0-5b68f73fb512) Sigma-Rules Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2