The attack method unfolds in two operational modes. First, in Enumeration Mode, BitLockMove leverages undocumented Microsoft APIs (e.g., WinStationEnumerateW) from the winsta.dll library to remotely gather session information, bypassing the need for Remote Desktop Services. In Attack Mode, the tool uses WMI to remotely activate the Remote Registry service, manipulates registry keys to insert a malicious CLSID entry with an InProcServer32 subkey pointing to the attacker’s DLL, and finally triggers BitLocker processes using the BDEUILauncher class, which loads and runs the payload. After execution, the tool cleans up the registry modifications to remove traces.

Despite the sophistication of the technique, several detection opportunities exist at multiple stages. During enumeration, unusual use of winsta.dll and suspicious WMI queries can signal malicious activity. Changes to the Remote Registry service state can be logged through Windows Event ID 7040, and SIGMA detection rules can alert security teams to unauthorized enablement. Registry monitoring also plays a crucial role, especially for CLSID paths and InProcServer32 subkey changes, with Event IDs 4657, 4660, and 4663 offering key insights. Lastly, abnormal process behaviors such as BaaUpdate.exe spawning child processes or BitLocker processes running under unexpected user contexts can also indicate compromise.

This research highlights how even trusted components like BitLocker can be leveraged by threat actors when deeper layers of Windows architecture are abused. The attack exemplifies how sophisticated adversaries are moving beyond traditional techniques, instead weaponizing legitimate tools to remain undetected. As such, enterprises must adopt robust detection mechanisms, apply behavioral analytics, and continually monitor registry, service, and COM object activity. This case serves as a vital reminder that security tools themselves, if not properly monitored, can become avenues for exploitation.

Impact

• Sensitive Information Theft
• Code Execution
• Security Bypass
• Unauthorize Access

Remediation

• Configure alerts for Windows Event ID 7040 to detect when the Remote Registry service is enabled or changed
• Investigate any Remote Registry activation events, especially outside of scheduled maintenance
• Enable auditing for the CLSID registry paths, especially for suspicious or uncommon keys
• Track creation or modification of InProcServer32 subkeys using Event IDs 4657 (modification), 4663 (access), and 4660 (deletion)
• Watch for rapid creation and deletion of registry keys
• Monitor WMI queries that alter service states or target registry components
• Flag unexpected COM object activations, especially involving the BitLocker BDEUILauncher class or unusual CLSIDs
• Alert on executions of **BaaUpdate.exe** or **BdeUISrv.exe** launched from suspicious parent processes like svchost.exe
• Investigate BitLocker-related processes running under interactive user contexts or spawning unknown child processes
• Track processes that load winsta.dll or call undocumented session enumeration APIs such as WinStationEnumerateW
• Compare against known good baselines to detect anomalies
• Use EDR tools to define rules that detect COM hijacking patterns and abnormal session enumeration techniques
• Set up correlation alerts that combine registry changes, WMI activity, and suspicious process creation
• Limit permissions for users to write to sensitive COM registry paths, especially under high-privilege accounts
• Apply group policy settings to restrict Remote Registry and WMI usage where not needed
• Conduct proactive threat hunts for suspicious registry entries and COM hijacking traces
• Regularly scan endpoints for the presence of BitLockMove tool artifacts or similar payload.