Summary
Key Points:
- New zero-day vulnerability, GreatXML, allows attackers to bypass BitLocker protection on Windows systems by exploiting artifacts left by Microsoft Defender's offline scan.
- Any machine that has run an offline scan is vulnerable, providing attackers with SYSTEM shell access in Recovery Mode. This poses a significant risk to data security and system integrity.
- Immediate actions include disabling Microsoft Defender's offline scan feature and monitoring for unauthorized physical access to machines, as the exploit requires brief physical interaction.
Technical Details: GreatXML exploits the way Windows Recovery Environment (WinRE) processes XML files during boot, specifically targeting the "unattend.xml" and "Recovery" directory. No patch is currently available for this vulnerability.
MITRE ATT&CK Techniques:
- T1078 - Valid Accounts (Defense Evasion, Persistence, Privilege Escalation)
- T1203 - User Execution (Execution)
IOCs Mentioned: None mentioned.
Join the discussion — sign up to comment, upvote, and save articles.