A novel lateral motion approach that exploits BitLocker’s Part Object Mannequin (COM) performance to execute malicious code on course programs.
The approach, demonstrated via the BitLockMove proof-of-concept device, represents a complicated evolution in lateral motion ways that bypasses conventional detection mechanisms whereas leveraging reputable Home windows elements.
BitLocker, Microsoft’s full disk encryption characteristic designed to guard knowledge via whole quantity encryption, has turn out to be a cornerstone of Home windows endpoint safety.
Sometimes enabled on workstations and laptops to stop unauthorized entry in case of system theft or loss, BitLocker’s complete safety has made it a pretty goal for attackers in search of to abuse its underlying infrastructure.
Researcher Fabian Mosch defined throughout his presentation that each Home windows utility or characteristic introduces a major quantity of objects, together with processes, recordsdata, and registry keys, that collectively increase the assault floor.
Whereas BitLocker successfully protects knowledge at relaxation, its implementation accommodates components that subtle menace actors can weaponize.
Motion course of
The newly disclosed approach targets the distant manipulation of BitLocker registry keys via Home windows Administration Instrumentation (WMI) to hijack particular COM objects.
This strategy allows attackers to execute code underneath the context of the interactive person on course hosts, probably resulting in area escalation if the compromised person possesses elevated privileges akin to area administrator rights.
The assault leverages a vital vulnerability within the BitLocker COM object hierarchy, particularly focusing on the BDEUILauncher class via the IBDEUILauncher interface. This interface supplies three key strategies that attackers can exploit:
BdeUIProcessStart: Initiates the BitLocker course of (BdeUISrv.exe)
BdeUIContextTrigger: Gives context manipulation capabilities
GetUserLogonTime: Retrieves person logon timing info
The exploitation course of facilities on the CLSID ab93b6f1-be76-4185-a488-a9001b105b94, which spawns 4 totally different processes because the Interactive Consumer. Amongst these, the BaaUpdate.exe course of proves significantly weak to COM hijacking when executed with enter parameters.
The assault particularly targets the lacking CLSID A7A63E5C-3877-4840-8727-C1EA9D7A4D50, which the BaaUpdate.exe course of makes an attempt to load.
By making a registry entry for this CLSID and establishing applicable subkeys, attackers can redirect the method to load malicious code as an alternative of the reputable element, Fabin stated.
The BitLockMove device, out there on GitHub, demonstrates the sensible implementation of this method throughout two operational modes:
Enumeration Mode
The device’s reconnaissance functionality makes use of undocumented Microsoft APIs from the winsta.dll library to remotely enumerate lively periods on course programs. These APIs, together with WinStationEnumerateW, WinStationOpenServerW, and WinStationQueryInformationW, present complete session info with out requiring Distant Desktop Providers to be enabled.
Assault Mode
Throughout the lively exploitation part, BitLockMove establishes a distant connection to the goal host by way of WMI and executes queries to allow the Distant Registry service. The device then constructs the mandatory registry path to organize the surroundings for COM hijacking, particularly creating entries underneath the CLSID key construction.
The assault sequence entails a number of vital steps:
Distant Registry Activation: The device queries the Distant Registry service standing and allows it if crucial
Registry Key Manipulation: Creation of the malicious CLSID entry with InProcServer32 subkey pointing to the attacker’s DLL
Course of Coercion: Triggering the BitLocker course of via the BDEUILauncher class
Code Execution: Loading and executing the attacker’s payload throughout the reputable BitLocker course of context
Cleanup Operations: Eradicating traces of the assault by deleting the malicious registry entries
Regardless of the approach’s sophistication, a number of detection alternatives exist throughout numerous assault phases. Safety groups ought to concentrate on implementing complete monitoring throughout a number of key areas:
API Monitoring
The enumeration part depends on undocumented winsta.dll APIs that differ from Microsoft’s formally supported WTSEnumerateSessionsW API. Endpoint Detection and Response (EDR) options ought to monitor for uncommon API calls, significantly:
Processes loading winsta.dll libraries exterior of reputable Microsoft instruments
Non-standard session enumeration makes an attempt
Uncommon WMI queries focusing on service configurations
Service State Monitoring
Modifications to the Distant Registry service symbolize a vital detection level. Home windows Occasion ID 7040 captures service state modifications, and organizations ought to implement alerting for:
Distant Registry service transitions from disabled to enabled states
Fast service state modifications (enabled then disabled in brief timeframes)
Service modifications occurring exterior regular upkeep home windows
Safety groups can implement SIGMA guidelines to detect suspicious Distant Registry service modifications:
title: Detection of Distant Registry Service Enablement
detection:
choice:
EventID: 7040
ServiceName: ‘RemoteRegistry’
OldStartType: ‘Disabled’
NewStartType: [‘Manual start’, ‘Auto start’]
situation: choice
degree: excessive
Registry Auditing
Complete registry monitoring represents maybe the best detection mechanism. Organizations ought to allow auditing for the affected CLSID key and implement monitoring for:
Registry key creation underneath suspicious CLSID paths
InProcServer32 subkey modifications
Fast registry key creation and deletion patterns
Occasion IDs 4657 (registry worth modification), 4660 (registry key deletion), and 4663 (registry object entry) present essential visibility into registry manipulation makes an attempt.
Course of Conduct Evaluation
The ultimate execution stage generates distinctive course of artifacts that safety groups can monitor:
BdeUISrv.exe processes spawning from svchost.exe
BaaUpdate.exe executions adopted by uncommon baby processes
BitLocker-related processes operating in surprising person contexts
The disclosure of the BitLocker COM hijacking approach underscores the evolving sophistication of lateral motion ways and the significance of complete safety monitoring.
Whereas the approach demonstrates regarding capabilities, the a number of detection alternatives out there to safety groups present viable defensive methods.
Organizations should acknowledge that even well-designed safety features like BitLocker can turn out to be assault vectors when their underlying implementations are exploited.
As menace actors proceed to develop modern approaches to community compromise, the cybersecurity group should stay dedicated to sharing data, creating strong detection mechanisms, and constructing resilient defensive architectures.
The analysis introduced by Fabian Mosch at Troopers 2025 supplies worthwhile insights into superior persistent menace ways and emphasizes the vital significance of proactive safety measures in defending fashionable enterprise environments.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
