LoFP / false positives are likely, as bitlockertogo.exe is a legitimate windows utility used for managing bitlocker encryption. however, the detection is designed to flag unusual execution patterns that deviate from standard usage. filtering may be required to reduce false positives, once confirmed - move to ttp.

• T1218

Sample rules

Windows BitLockerToGo with Network Activity

• source: splunk
• technicques:
  • T1218

Description

The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.

Detection logic

`sysmon` EventCode=22 process_name="bitlockertogo.exe"
  
| stats count min(_time) as firstTime max(_time) as lastTime
    BY answer answer_count dvc
       process_exec process_guid process_name
       query query_count reply_code_id
       signature signature_id src
       user_id vendor_product QueryName
       QueryResults QueryStatus
  
| `security_content_ctime(firstTime)`
  
| `security_content_ctime(lastTime)`
  
| `windows_bitlockertogo_with_network_activity_filter`

Windows BitLockerToGo Process Execution

• source: splunk
• technicques:
  • T1218

Description

The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name=bitlockertogo.exe
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_bitlockertogo_process_execution_filter`