EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows BitLockerToGo with Network Activity

The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.

MITRE ATT&CK

T1218

Detection Query

`sysmon` EventCode=22 process_name="bitlockertogo.exe"
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY answer answer_count dvc
       process_exec process_guid process_name
       query query_count reply_code_id
       signature signature_id src
       user_id vendor_product QueryName
       QueryResults QueryStatus
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_bitlockertogo_with_network_activity_filter`

Author

Michael Haag, Nasreddine Bencherchali, Splunk

Created

2026-02-25

Data Sources

Sysmon EventID 22

References

Tags

Lumma StealerHellcat Ransomware
Raw Content
name: Windows BitLockerToGo with Network Activity
id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
version: 7
date: '2026-02-25'
author: Michael Haag, Nasreddine Bencherchali, Splunk
data_source:
    - Sysmon EventID 22
type: Hunting
status: production
description: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.
search: |-
    `sysmon` EventCode=22 process_name="bitlockertogo.exe"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY answer answer_count dvc
           process_exec process_guid process_name
           query query_count reply_code_id
           signature signature_id src
           user_id vendor_product QueryName
           QueryResults QueryStatus
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_bitlockertogo_with_network_activity_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, the detection is designed to flag unusual execution patterns that deviate from standard usage. Filtering may be required to reduce false positives, once confirmed - move to TTP.
references:
    - https://any.run/report/5e9ba24639f70787e56f10a241271ae819ef9c573edb22b9eeade7cb40a2df2a/66f16c7b-2cfc-40c5-91cc-f1cbe9743fa3
    - https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
tags:
    analytic_story:
        - Lumma Stealer
        - Hellcat Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1218
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog