Redazione RHC : 4 August 2025 15:24
Through BitLocker’s Component Object Model (COM) feature, attackers can deploy an innovative pivoting technique to execute malicious code on targeted systems. This approach, demonstrated via a test tool called BitLockMove, marks a significant advancement in lateral movement strategies, successfully evading standard detection methods by using authentic Windows elements.
Typically enabled on workstations and laptops to prevent unauthorized access in the event of device theft or loss, BitLocker’s comprehensive protection has made it a tempting target for attackers seeking to abuse its underlying infrastructure.
During his presentation, researcher Fabian Mosch explained that adding each application or feature to Windows results in a substantial increase in objects, including processes, files, and registry keys, which, taken together, expand the surface area for potential attacks. Despite BitLocker’s effectiveness in protecting inactive data, experts have found that its implementation includes aspects that can be exploited by sophisticated attackers to create offensive tools.
The newly disclosed technique aims to remotely manipulate BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects. This approach allows attackers to execute code in the context of the interactive user on target hosts, potentially leading to domain escalation if the compromised user has elevated privileges, such as domain administrator rights.
The attack exploits a critical flaw in the BitLocker COM object hierarchy, which directly targets the BDEUILauncher class through the IBDEUILauncher interface. Attackers can use three main methods offered by this interface for exploitation:
The exploit process focuses on the CLSID ab93b6f1-be76-4185-a488-a9001b105b94, which spawns four different processes as an interactive user. Among these, the BaaUpdate.exe process is particularly vulnerable to COM hijacking when executed with input parameters. The attack specifically targets the missing CLSID A7A63E5C-3877-4840-8727-C1EA9D7A4D50, which the BaaUpdate.exe process attempts to load.
By creating a registry entry for this CLSID and establishing the appropriate subkeys, attackers can redirect the process to load malicious code instead of the legitimate component, Fabin said. The BitLockMove tool demonstrates the practical implementation of this technique through two modes of operation:
The BdeUISrv.exe process remains active on the system, unlike the COM hijacking-vulnerable process BaaUpdate.exe, which is terminated.
It is important to note that the BdeUISrv.exe process ran under the context of the Administrator user, which was the user who had the interactive session on the host and was targeted.
Although the technique attempts to blend into the environment, because the arbitrary command is executed in the context of a trusted BitLocker process (BdeUISrv.exe), there are multiple opportunities for detection at various stages. Analyzing the tool’s behavior can reveal the technique’s characteristics and areas where detection engineers should focus.
The lateral movement technique by hijacking the BitLocker component object model involves several steps, but it also offers numerous detection opportunities. Organizations should evaluate which logs are safe to enable in their environments and focus their detection engineering efforts accordingly.
Enriching the SIEM with all associated logs and running threat hunting queries at short intervals enables detection with a high level of confidence.
Redazione