Hackers Can Manipulate BitLocker Registry Keys Via WMI to Execute Malicious Code as Interactive User

A novel lateral movement technique that exploits BitLocker’s Component Object Model (COM) functionality to execute malicious code on target systems.

The technique, demonstrated through the BitLockMove proof-of-concept tool, represents a sophisticated evolution in lateral movement tactics that bypasses traditional detection mechanisms while leveraging legitimate Windows components.

BitLocker, Microsoft’s full disk encryption feature designed to protect data through entire volume encryption, has become a cornerstone of Windows endpoint security.

Typically enabled on workstations and laptops to prevent unauthorized access in case of device theft or loss, BitLocker’s comprehensive protection has made it an attractive target for attackers seeking to abuse its underlying infrastructure.

Researcher Fabian Mosch explained during his presentation that every Windows application or feature introduces a significant volume of objects, including processes, files, and registry keys, that collectively expand the attack surface.

While BitLocker effectively protects data at rest, its implementation contains elements that sophisticated threat actors can weaponize.

The newly disclosed technique targets explicitly the remote manipulation of BitLocker registry keys through Windows Management Instrumentation (WMI) to hijack specific COM objects.

This approach enables attackers to execute code under the context of the interactive user on target hosts, potentially leading to domain escalation if the compromised user possesses elevated privileges such as domain administrator rights.

The attack leverages a critical vulnerability in the BitLocker COM object hierarchy, specifically targeting the BDEUILauncher class through the IBDEUILauncher interface. This interface provides three key methods that attackers can exploit:

• BdeUIProcessStart: Initiates the BitLocker process (BdeUISrv.exe)
• BdeUIContextTrigger: Provides context manipulation capabilities
• GetUserLogonTime: Retrieves user logon timing information

The exploitation process centers on the CLSID ab93b6f1-be76-4185-a488-a9001b105b94, which spawns four different processes as the Interactive User. Among these, the BaaUpdate.exe process proves particularly vulnerable to COM hijacking when executed with input parameters.

The attack specifically targets the missing CLSID A7A63E5C-3877-4840-8727-C1EA9D7A4D50, which the BaaUpdate.exe process attempts to load.

By creating a registry entry for this CLSID and establishing appropriate subkeys, attackers can redirect the process to load malicious code instead of the legitimate component, Fabin said.

The BitLockMove tool, available on GitHub, demonstrates the practical implementation of this technique across two operational modes:

Enumeration Mode

The tool’s reconnaissance capability utilizes undocumented Microsoft APIs from the winsta.dll library to remotely enumerate active sessions on target systems. These APIs, including WinStationEnumerateW, WinStationOpenServerW, and WinStationQueryInformationW, provide comprehensive session information without requiring Remote Desktop Services to be enabled.

Attack Mode

During the active exploitation phase, BitLockMove establishes a remote connection to the target host via WMI and executes queries to enable the Remote Registry service. The tool then constructs the necessary registry path to prepare the environment for COM hijacking, specifically creating entries under the CLSID key structure.

The attack sequence involves several critical steps:

1. Remote Registry Activation: The tool queries the Remote Registry service status and enables it if necessary
2. Registry Key Manipulation: Creation of the malicious CLSID entry with InProcServer32 subkey pointing to the attacker’s DLL
3. Process Coercion: Triggering the BitLocker process through the BDEUILauncher class
4. Code Execution: Loading and executing the attacker’s payload within the legitimate BitLocker process context
5. Cleanup Operations: Removing traces of the attack by deleting the malicious registry entries

Despite the technique’s sophistication, multiple detection opportunities exist across various attack stages. Security teams should focus on implementing comprehensive monitoring across several key areas:

API Monitoring

The enumeration phase relies on undocumented winsta.dll APIs that differ from Microsoft’s officially supported WTSEnumerateSessionsW API. Endpoint Detection and Response (EDR) solutions should monitor for unusual API calls, particularly:

• Processes loading winsta.dll libraries outside of legitimate Microsoft tools
• Non-standard session enumeration attempts
• Unusual WMI queries targeting service configurations

Service State Monitoring

Changes to the Remote Registry service represent a critical detection point. Windows Event ID 7040 captures service state modifications, and organizations should implement alerting for:

• Remote Registry service transitions from disabled to enabled states
• Rapid service state changes (enabled then disabled in short timeframes)
• Service modifications occurring outside normal maintenance windows

Security teams can implement SIGMA rules to detect suspicious Remote Registry service changes:

title: Detection of Remote Registry Service Enablement
detection:
  selection:
    EventID: 7040
    ServiceName: 'RemoteRegistry'
    OldStartType: 'Disabled'
    NewStartType: ['Manual start', 'Auto start']
  condition: selection
level: high

Registry Auditing

Comprehensive registry monitoring represents perhaps the most effective detection mechanism. Organizations should enable auditing for the affected CLSID key and implement monitoring for:

• Registry key creation under suspicious CLSID paths
• InProcServer32 subkey modifications
• Rapid registry key creation and deletion patterns

Event IDs 4657 (registry value modification), 4660 (registry key deletion), and 4663 (registry object access) provide crucial visibility into registry manipulation attempts.

Process Behavior Analysis

The final execution stage generates distinctive process artifacts that security teams can monitor:

• BdeUISrv.exe processes spawning from svchost.exe
• BaaUpdate.exe executions followed by unusual child processes
• BitLocker-related processes running in unexpected user contexts

The disclosure of the BitLocker COM hijacking technique underscores the evolving sophistication of lateral movement tactics and the importance of comprehensive security monitoring.

While the technique demonstrates concerning capabilities, the multiple detection opportunities available to security teams provide viable defensive strategies.

Organizations must recognize that even well-designed security features like BitLocker can become attack vectors when their underlying implementations are exploited.

As threat actors continue to develop innovative approaches to network compromise, the cybersecurity community must remain committed to sharing knowledge, developing robust detection mechanisms, and building resilient defensive architectures.

The research presented by Fabian Mosch at Troopers 2025 provides valuable insights into advanced persistent threat tactics and emphasizes the critical importance of proactive security measures in protecting modern enterprise environments.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches