Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

BitLocker COM hijacking and lateral movement: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: A new Windows lateral movement technique, BitlockMove, uses SMB, WMI/RPC, and DCOM to make BitLocker load a planted DLL under the logged-in user, then fans out if that account has broad rights, according to Zero Networks. The core lesson is that attack paths stitched from legitimate protocols are best neutralised by default-deny segmentation, not by chasing each new technique.

NHIMG editorial — based on content published by Zero Networks: Blocked by Default, stopping BitlockMove with microsegmentation

Questions worth separating out

Q: What breaks when SMB and RPC are not tightly segmented in Windows estates?

A: When SMB and RPC are broadly reachable, an attacker can chain file transfer, registry manipulation, and remote execution into one lateral movement path.

Q: Why do broad user or service account rights increase the impact of protocol abuse?

A: Because the attacker does not need to invent new privileges.

Q: What do security teams get wrong about Windows lateral movement techniques like BitlockMove?

A: They often focus on the specific payload or registry change and miss the dependency chain that makes it possible.

Practitioner guidance

  • Deny peer-to-peer SMB by default Close SMB 445 between workstation and server peers unless a business dependency is explicitly approved and documented.
  • Restrict RPC and dynamic high ports to approved dependencies Treat RPC as a managed dependency, not a universal admin convenience.
  • Block remote registry write operations where they are not required Use RPC-level filtering to prevent functions such as BaseRegSetValue when those operations are not part of a legitimate administrative workflow.

What's in the full article

Zero Networks' full post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of the BitlockMove chain from SMB drop to BitLocker-triggered DLL loading.
  • Examples of how the RPC Firewall can block specific operations such as remote registry writes.
  • Portal screenshots showing what the attack flow looks like when segmentation is disabled.
  • Practical segmentation logic for hosts that need SMB or RPC allowed for legitimate business use.

👉 Read Zero Networks' analysis of BitLocker COM hijacking and microsegmentation →

BitLocker COM hijacking and lateral movement: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

BitlockMove is a protocol-trust failure, not just a malware trick. The attack succeeds because common Windows management channels are assumed to be safe once authenticated, even when they bridge file transfer, registry writes, and remote execution. That is the governance gap: identity controls may be correct while the surrounding network still permits the path. Practitioners should treat remote protocol reachability as part of the identity trust boundary.

A question worth separating out:

Q: Which frameworks best align to blocking remote protocol abuse and lateral movement?

A: MITRE ATT&CK is useful for mapping credential access and lateral movement tactics, while NIST SP 800-53 and NIST CSF help translate that mapping into access control, remote access, and monitoring requirements. For Windows estates, the practical goal is to deny unnecessary east-west paths and verify that approved ones are tightly constrained.

👉 Read our full editorial: BitLocker COM hijacking shows why lateral movement should be blocked by default



   
ReplyQuote
Share: