Red Hot Cyber, The cybersecurity news
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
320x100 Itcentric
Enterprise BusinessLog 970x120 1
BitLocker in the crosshairs: stealth attacks via COM hijacking. Online PoC

BitLocker in the crosshairs: stealth attacks via COM hijacking. Online PoC

Redazione RHC : 15 September 2025 08:31

An innovative tool known as BitlockMove has been introduced, which highlights a novel lateral movement technique. This PoC leverages DCOM interfaces and COM hijacking, both of which are functional for BitLocker.

Released by security researcher Fabian Mosch of r-tec Cyber Security, the tool allows attackers to execute code on remote systems within the session of an already logged-in user, avoiding the need to steal credentials or impersonate accounts.

This technique is particularly subtle because the malicious code executes directly in the context of the target user, generating fewer indicators of compromise than traditional methods such as credential theft from LSASS.

The PoC specifically targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94), which can launch several processes. One of these, BaaUpdate.exe, is vulnerable to COM hijacking if launched with specific parameters. The tool, written in C#, operates in two distinct modes: enumeration and attack.

  • Enum Mode: An attacker can use this mode to identify active user sessions on a target host. This allows the threat actor to select a highly privileged user, such as a domain administrator, for the attack.
  • Attack Mode: In this mode, the tool executes the attack. The attacker specifies the target host, the username of the active session, a path to delete the malicious DLL, and the command to execute. The tool then executes the remote COM hijacker, activates the payload, and cleans up by removing the hijacker from the registry and deleting the DLL.

By monitoring specific behavior patterns, defenders are able to detect this technique. Key indicators include remote COM CLSID hijacking associated with BitLocker, which aims to load a newly created DLL from the compromised location via BaaUpdate.exe.

Suspicious child processes spawned by BaaUpdate.exe or BdeUISrv.exe are obvious indicators of a possible attack. Its use for legitimate purposes is rare, so security experts can conduct specific searches for the BdeUISrv.exe process to detect its potential malicious nature.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli