This rule targets the detection of suspicious activities involving the use of BitLockerToGo.exe, a legitimate utility in Windows that can be exploited by malware, specifically the Lumma stealer. Lumma stealer has been documented manipulating BitLockerToGo to steal sensitive information such as cryptocurrency wallets, credentials stored in browsers, and password managers by altering registry entries and executing unexpected actions. The detection leverages Sysmon's Event ID 22 to monitor for anomalous patterns in the execution of BitLockerToGo, which may signify a data theft campaign. Given its capabilities for viewing, copying, and writing files, alongside modifying registry branches, this monitoring approach is critical for identifying potential exploitation of the utility. The rule tracks the execution of BitLockerToGo and flags instances that deviate from typical operational behavior.