This analytic is designed to detect the execution of BitLockerToGo.exe, a legitimate Windows utility that has been abused by the Lumma stealer malware. Lumma utilizes this process to manipulate registry keys, search for sensitive cryptocurrency wallets and credentials, and exfiltrate crucial data. The detection leverages data from Sysmon Event ID 1 and Windows Event Log Security 4688 to identify and alert on this potentially malicious activity. Given that BitLockerToGo.exe provides substantial functionalities such as file manipulation and registry modification, its misuse indicates a significant security threat. Organizations must be cautious, as legitimate usage of this tool may create false positives; thus, continuous monitoring and tuning of the detection rule are imperative, especially in environments where BitLockerToGo.exe is actively used.