A technique that abuses Windows component object model behavior to redirect a trusted component into loading attacker-controlled code. It does not break encryption. Instead, it manipulates configuration and execution flow so that a legitimate process loads an untrusted DLL under a chosen user context.
Expanded Definition
BitLocker COM hijacking is a Windows persistence and execution technique that relies on the Component Object Model rather than on any weakness in BitLocker encryption itself. The abuse path is straightforward in concept but subtle in practice: a trusted COM-enabled component is persuaded to load attacker-controlled code, usually by altering registry-based class registration or related execution references. The result is code execution in the context of a legitimate process, which can make the activity harder to spot than a direct malware launch.
For security teams, the important distinction is that this is not a decryption attack and not a flaw in disk cryptography. It is a misuse of Windows trust relationships, startup behavior, and component activation. NIST guidance on configuration management and least privilege, such as the NIST SP 800-53 Rev 5 Security and Privacy Controls, is relevant because the attack often succeeds where registry permissions, software installation controls, and execution boundaries are too broad.
The most common misapplication is treating it as a BitLocker failure, which occurs when defenders focus on encryption status instead of the registry and COM activation path that enabled code loading.
Examples and Use Cases
Implementing detection and hardening rigorously often introduces administrative friction, requiring organisations to weigh tighter registry and software controls against compatibility and support overhead.
- A threat actor places a malicious DLL where a COM class registration points during user logon, causing a trusted application to load the payload automatically.
- Persistence is maintained by changing per-user COM registrations so the code runs under a chosen user context each time the component is activated.
- Defenders identify suspicious registry changes tied to COM class IDs, then compare them with expected baselines from approved software and system components.
- Endpoint telemetry shows a legitimate process spawning behavior that is inconsistent with normal application use, prompting review of COM activation chains and DLL paths.
- Security teams reduce exposure by restricting write access to sensitive registry locations and validating software installation logic against hardening guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls.
These use cases are common in intrusion chains where the goal is stealthy execution, not immediate privilege escalation. The technique may be combined with other living-off-the-land methods so the malicious code appears to originate from a normal Windows workflow.
Why It Matters for Security Teams
BitLocker COM hijacking matters because it exploits trust, not brute force. If defenders assume encryption is the only relevant control, they may miss the underlying execution mechanism and leave a reliable persistence route open. The issue sits at the intersection of endpoint hardening, registry governance, and application control, so it belongs in broader Windows attack surface management rather than in a narrow storage-security bucket.
For identity and access teams, the lesson is similar to other NHI-style abuse patterns: a legitimate execution context can be coerced into doing something unintended when permissions are too broad or configuration is not tightly governed. That makes local admin rights, writable class registrations, and weak software restriction policies especially important to review. MITRE ATT&CK and threat research commonly track related technique families, but operationally the defensive priority is to constrain where trusted processes can be redirected and to monitor for unexpected COM registration changes. The most effective response usually combines baseline enforcement, registry monitoring, and controlled software deployment.
Organisations typically encounter the full impact only after a workstation shows repeated re-entry by the same actor, at which point BitLocker COM hijacking becomes operationally unavoidable to investigate and contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access control limit who can alter COM registrations. |
| NIST SP 800-53 Rev 5 | CM-7 | Configuration management and least functionality help prevent hijacked COM paths. |
Restrict registry and execution permissions so trusted components cannot be redirected.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org