By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: Zero NetworksPublished August 12, 2025

TL;DR: A new Windows lateral movement technique, BitlockMove, uses SMB, WMI/RPC, and DCOM to make BitLocker load a planted DLL under the logged-in user, then fans out if that account has broad rights, according to Zero Networks. The core lesson is that attack paths stitched from legitimate protocols are best neutralised by default-deny segmentation, not by chasing each new technique.


At a glance

What this is: This is an analysis of BitlockMove, a BitLocker COM hijacking lateral movement technique that abuses SMB, WMI/RPC, and DCOM to execute a planted DLL on a remote Windows host.

Why it matters: It matters because identity and privilege boundaries do not stop an attacker who can reuse approved protocols, so IAM and PAM teams need to pair access governance with network enforcement and segmentation.

👉 Read Zero Networks' analysis of BitLocker COM hijacking and microsegmentation


Context

BitlockMove is a lateral movement pattern, not a BitLocker defect in isolation. It chains standard Windows services and remote management channels into an execution path that looks legitimate to the platform unless east-west controls block it first. For identity and access programmes, the issue is not just who can log in, but which identities can reach which hosts and remote interfaces.

The article’s key governance point is that protocol trust is often broader than identity trust. If a user or service account has broad rights on a reachable endpoint, an attacker can turn that access into execution and spread without exploiting a classic software vulnerability. That makes microsegmentation, RPC hardening, and privilege scope control part of the same control story.


Key questions

Q: What breaks when SMB and RPC are not tightly segmented in Windows estates?

A: When SMB and RPC are broadly reachable, an attacker can chain file transfer, registry manipulation, and remote execution into one lateral movement path. The failure is not just exposure of a port. It is the environment allowing a complete action sequence to finish under a trusted context, which makes one compromised account enough to pivot.

Q: Why do broad user or service account rights increase the impact of protocol abuse?

A: Because the attacker does not need to invent new privileges. They only need to make a reachable host perform actions on behalf of an already trusted identity. When that identity has broad rights, the attacker can move from one system to the next using legitimate administration pathways, which turns access scope into blast radius.

Q: What do security teams get wrong about Windows lateral movement techniques like BitlockMove?

A: They often focus on the specific payload or registry change and miss the dependency chain that makes it possible. If SMB, WMI, RPC, and DCOM remain allowed between peers, a new technique can still work even after a vendor patch. The control question is whether the path itself exists.

Q: Which frameworks best align to blocking remote protocol abuse and lateral movement?

A: MITRE ATT&CK is useful for mapping credential access and lateral movement tactics, while NIST SP 800-53 and NIST CSF help translate that mapping into access control, remote access, and monitoring requirements. For Windows estates, the practical goal is to deny unnecessary east-west paths and verify that approved ones are tightly constrained.


Technical breakdown

How BitLocker COM hijacking turns remote access into code execution

BitlockMove works by copying a malicious DLL to the target over SMB, then writing a registry value through WMI or RPC that tells BitLocker where to load that DLL from. A later DCOM-triggered call causes the BitLocker component to load the attacker-controlled file in the context of the currently logged-in user. The important point is that the attacker is not breaking cryptography. They are abusing a trusted Windows execution flow that spans file transfer, remote registry manipulation, and COM invocation.

Practical implication: block the remote protocol chain, not just the payload.

Why SMB and RPC exposure create lateral movement risk

SMB and RPC are common administrative pathways, which makes them attractive to attackers once they can authenticate to one endpoint. SMB 445 enables file placement, while RPC and high ephemeral ports enable follow-on registry and DCOM actions. If east-west traffic is broadly allowed, the attacker only needs one reachable system and one over-permissioned account to pivot. This is why segmentation matters: the move is successful because the network allows the chain to complete, not because the malware is uniquely powerful.

Practical implication: map and restrict peer-to-peer admin pathways across Windows estates.

How RPC firewalling limits rare operations inside otherwise permitted traffic

The article highlights a layered control approach where RPC can be allowed for legitimate business needs while specific interfaces or operations are blocked. That distinction matters because many environments cannot simply close RPC everywhere. RPC firewalling narrows the problem by stopping uncommon functions such as remote registry writes, which breaks the attack even when some RPC traffic remains necessary for servers or management workflows. In practice, this is a much tighter control than broad trust in any authenticated RPC session.

Practical implication: apply function-level RPC restrictions where full protocol blocking is not feasible.


Threat narrative

Attacker objective: The attacker wants remote code execution under a trusted user context so they can pivot laterally across Windows systems.

  1. Entry occurs when the attacker reaches a Windows host over SMB and places a malicious DLL where it can be retrieved remotely.
  2. Escalation happens when WMI or RPC is used to write the registry path that points BitLocker to the planted file, preparing the COM hijack.
  3. Impact follows when DCOM triggers BitLocker to load the DLL under the logged-in user, enabling lateral spread if that user has broad rights.

NHI Mgmt Group analysis

BitlockMove is a protocol-trust failure, not just a malware trick. The attack succeeds because common Windows management channels are assumed to be safe once authenticated, even when they bridge file transfer, registry writes, and remote execution. That is the governance gap: identity controls may be correct while the surrounding network still permits the path. Practitioners should treat remote protocol reachability as part of the identity trust boundary.

Microsegmentation is increasingly an identity control in practice. When a compromised account can reach peer systems over SMB and RPC, privilege scope turns into lateral movement scope. This is why east-west policy belongs in the same conversation as least privilege and admin tiering. A broad account on a reachable endpoint is materially different from the same account behind a denied network path. Practitioners should align segmentation with privilege boundaries, not just subnets.

BitLocker COM hijacking shows how attackers exploit the gap between approved access and approved action. The user or service may be authorised to exist in the environment, but not to initiate the sequence of remote operations that leads to code execution. That gap is where attackers live. Security teams need to think in terms of complete action chains, especially where WMI, RPC, and DCOM are still routinely trusted. Practitioners should validate the chain, not each protocol in isolation.

Named concept: protocol-stitching lateral movement. This technique depends on stitching together individually legitimate protocols into one hostile execution path. Once defenders understand that the attack is the composition of SMB, RPC, registry writes, and DCOM, the response changes from chasing detections to denying the sequence. That is the control model modern Windows estates need. Practitioners should break the chain at multiple points, not wait for a signature.

Per-CVE response is the wrong operating model for this class of attack. The article’s central warning is that defenders will always be late if they wait for a named vulnerability before acting. The safer model is to assume that any new remote execution chain will use existing admin pathways and to pre-deny those pathways unless they are explicitly required. Practitioners should govern by allowed dependency, not by headline response.

What this signals

Protocol-stitching lateral movement is a useful way to describe attacks that chain ordinary administrative channels into a hostile path. That matters for programme design because detection alone will miss some of these sequences if the environment still permits SMB, RPC, and remote registry access between peers. Identity and infrastructure teams need a shared model of what a trusted path is allowed to do, not just who is authenticated.

Microsegmentation will increasingly be judged as part of identity governance, not only network hygiene, because the same account can be harmless or dangerous depending on where it can reach. The operational question becomes whether access policy and east-west policy are aligned. If they are not, privilege reviews can be technically correct and still leave a lateral movement path open.

The visibility gap remains a recurring theme in machine identity and access governance, and it applies here as well: if teams cannot reliably see which hosts can talk to which others, they cannot prove that a broad account is contained. That is why control validation has to move beyond configuration review and into path testing with real dependencies.


For practitioners

  • Deny peer-to-peer SMB by default Close SMB 445 between workstation and server peers unless a business dependency is explicitly approved and documented. The attack depends on file placement, so removing east-west SMB reachability eliminates the first step of the chain. Use segmentation policy to allow only known file-sharing routes, not general host-to-host access.
  • Restrict RPC and dynamic high ports to approved dependencies Treat RPC as a managed dependency, not a universal admin convenience. Permit only the specific hosts and services that need WMI or DCOM, and deny dynamic high-port reachability everywhere else. This reduces the chance that a remote registry write or COM trigger can complete after an initial foothold.
  • Block remote registry write operations where they are not required Use RPC-level filtering to prevent functions such as BaseRegSetValue when those operations are not part of a legitimate administrative workflow. The attack relies on writing a registry path that redirects BitLocker loading behavior, so stopping that function breaks the chain even if some RPC traffic remains allowed.
  • Tier privileged accounts away from reachable endpoints Separate admin-tier identities from endpoints that can be reached by other users or by broad network segments. If a logged-in user on a target host has broad rights, the attacker inherits that reach. Tighten account scope and reduce where privileged sessions can land so a successful remote action does not become lateral movement.

Key takeaways

  • BitlockMove shows that trusted Windows protocols can be chained into a lateral movement path without exploiting a classic vulnerability.
  • The material risk is not the DLL alone but the combination of SMB reachability, RPC access, and broad user rights on the target host.
  • Default-deny segmentation, plus tighter RPC function control, is the control pattern that breaks this class of attack early.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article centres on remote access abuse and pivoting across Windows hosts.
NIST CSF 2.0PR.AC-4The control gap is overly broad access between peers and over-permissioned sessions.
NIST SP 800-53 Rev 5AC-4Information flow control aligns directly to blocking host-to-host lateral movement paths.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe article depends on controlling internal network pathways, not just endpoints.

Map exposed SMB and RPC paths to credential access and lateral movement tactics, then deny unnecessary east-west routes.


Key terms

  • BitLocker Com Hijacking: A technique that abuses Windows component object model behavior to redirect a trusted component into loading attacker-controlled code. It does not break encryption. Instead, it manipulates configuration and execution flow so that a legitimate process loads an untrusted DLL under a chosen user context.
  • Protocol-Stitching Lateral Movement: A movement technique where an attacker chains multiple legitimate protocols or admin interfaces into one end-to-end compromise path. Each step may look normal on its own, but together they enable file transfer, registry changes, and code execution across hosts.
  • East-West Segmentation: Network policy that controls traffic between internal systems rather than only at the perimeter. In identity-heavy environments, it limits how far a compromised account or workload can move after initial access by denying unnecessary peer-to-peer connectivity.
  • RPC Firewall: An RPC firewall filters specific Remote Procedure Call functions rather than simply leaving the protocol open or closed. That matters because many enterprise services depend on RPC, but attackers can abuse a small subset of functions to escalate access or replicate directory data.

What's in the full article

Zero Networks' full post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of the BitlockMove chain from SMB drop to BitLocker-triggered DLL loading.
  • Examples of how the RPC Firewall can block specific operations such as remote registry writes.
  • Portal screenshots showing what the attack flow looks like when segmentation is disabled.
  • Practical segmentation logic for hosts that need SMB or RPC allowed for legitimate business use.

👉 The full Zero Networks post covers the attack chain, RPC filtering examples, and segmentation behavior in the portal.

Deepen your knowledge

NHI Mgmt Group covers NHI governance, machine identity security, and secrets management through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is a fit for teams that need to connect identity controls to real-world attack paths and operating decisions.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org