Cybercriminals have the ability to alter BitLocker registry keys through WMI, enabling them to run harmful code as if they were an interactive user.

A novel lateral movement technique has emerged that exploits BitLocker’s Component Object Model (COM) functionality to execute malicious code on target systems. This technique, demonstrated through the BitLockMove proof-of-concept tool, signifies a sophisticated evolution in lateral movement tactics that bypasses traditional detection mechanisms while leveraging legitimate Windows components. BitLocker, Microsoft’s full disk encryption feature designed to protect data through entire volume encryption, has become a cornerstone of Windows endpoint security. Typically enabled on workstations and laptops to prevent unauthorised access in case of device theft or loss, BitLocker’s comprehensive protection has made it an attractive target for attackers seeking to abuse its underlying infrastructure. Researcher Fabian Mosch explained that every Windows application or feature introduces a significant volume of objects, including processes, files, and registry keys, which collectively expand the attack surface. While BitLocker effectively protects data at rest, its implementation contains elements that sophisticated threat actors can weaponise.

The newly disclosed technique targets the remote manipulation of BitLocker registry keys through Windows Management Instrumentation (WMI) to hijack specific COM objects. This approach enables attackers to execute code under the context of the interactive user on target hosts, potentially leading to domain escalation if the compromised user possesses elevated privileges such as domain administrator rights. The attack leverages a critical vulnerability in the BitLocker COM object hierarchy, specifically targeting the BDEUILauncher class through the IBDEUILauncher interface. This interface provides three key methods that attackers can exploit: BdeUIProcessStart, which initiates the BitLocker process (BdeUISrv.exe); BdeUIContextTrigger, which provides context manipulation capabilities; and GetUserLogonTime, which retrieves user logon timing information. The exploitation process centres on the CLSID ab93b6f1-be76-4185-a488-a9001b105b94, which spawns four different processes as the Interactive User. Among these, the BaaUpdate.exe process proves particularly vulnerable to COM hijacking when executed with input parameters. By creating a registry entry for the missing CLSID A7A63E5C-3877-4840-8727-C1EA9D7A4D50, which the BaaUpdate.exe process attempts to load, attackers can redirect the process to load malicious code instead of the legitimate component. The BitLockMove tool, available on GitHub, demonstrates the practical implementation of this technique across two operational modes, including a reconnaissance capability that utilises undocumented Microsoft APIs from the winsta.dll library to remotely enumerate.