The rule "BitLockerTogo.EXE Execution" is designed to detect instances where the BitLocker To Go application is executed on Windows systems. BitLocker To Go is a feature that allows for encryption of removable data drives, enhancing data security by requiring a password or recovery key for access. Since this utility is rarely used in standard operational environments, its presence, particularly under suspicious conditions, warrants further investigation. The detection focuses on file executions ending with 'BitLockerToGo.exe'. Notably, malicious actors have utilized this application for process hollowing techniques, particularly linking it to malware such as Lumma stealer. It is crucial to monitor for its execution to ensure that it is not employed for illegitimate purposes while being cautious of false positives from legitimate encryption activities with portable devices.