← Back to SOC feed Coverage →

BaaUpdate.exe Suspicious DLL Load

sigma HIGH SigmaHQ
T1218T1021.003
DeviceImageLoadEvents
credential-theftlateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T03:15:55Z · Confidence: low

Hunt Hypothesis

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM &

Detection Rule

Sigma (Original)

title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
      type: similar
status: experimental
description: |
    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Microsoft 365 Defender)

DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\BaaUpdate.exe" and FolderPath endswith ".dll" and (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains "\\Contacts\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Favourites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Videos\\")

Required Data Sources

Sentinel TableNotes
DeviceImageLoadEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml