“If Defender offline scan was initiated in the victim machine at any point then there is no need to login, the machine is automatically vulnerable,” the researcher, who goes online by the name Nightmare Eclipse or Chaotic Eclipse, said in the exploit notes. “If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in).”
The requirement to log in is relevant here, because a system drive encrypted with BitLocker will be unlocked and decrypted when the user logs in. However, the whole point of a BitLocker bypass is to gain access to the unencrypted drive without having the credentials to log in, for example on a stolen laptop.
On machines where an offline Windows Defender scan was performed in the past, the exploitation is supposed to work by copying two files (unattend.xml and Recovery/WindowsRE/ReAgent.xml) provided by Nightmare Eclipse to the WinRE partition — this can be done from outside the OS because the WinRE partition is not encrypted — and then restart the system in WinRE mode.
“If everything was done correctly, a shell with unrestricted access to the BitLocker volume will spawn,” Nightmare Eclipse said.
