SensePost

A post by Reino about how leaving Bitlocker in “Suspended” state will let you recover the keys for decryption, after which the laptop can be virtualised and messed with without the SOC knowing about it, even when they’re watching closely.

https://sensepost.com/blog/2023/from-bitlocker-suspended-to-virtual-machine/

#bitlocker #virtualisation #edr #hacking #sensepost

SensePost | From bitlocker-suspended to virtual machine

Leaders in Information Security

Apr 21, 2023 at 12:38pmWeb
Show threadTommy KavanaghApr 21, 2023

@sensepost

Great work and write up by Reino.

From a further learning perspective and not to take from the analysis at all, but in terms of the device with bitlocker in a suspended state - this *should* be a non normal state in an enterprise. If not then there is something particularly wrong. I think i'm correct that a suspended state by default won't last a reboot either unless otherwise configured.

Nonetheless the flag was captured and the write up ever so helpful. Thank you.

Show threadJernej Simončič �Apr 21, 2023
@ancatdubh @sensepost I haven't tested this yet, but I suspect Windows Update will automatically suspend Bitlocker if there's a BIOS update queued; since BIOS updates through WU are usually optional, it might be possible to trigger one on demand…
Show threadDominic WhiteApr 22, 2023
@jernej__s @ancatdubh @sensepost thanks for the commentary. It’s certainly a finding that needs to be remedied. I’ll confirm with Reino (he doesn’t do the socials), but it was provided that way and powered on from off for a pentest, so I think it survived a reboot. Maybe it was as @jernej__s suggested - something to do with a BIOS update.
Show threadJernej Simončič �Apr 22, 2023
@singe @ancatdubh @sensepost I doubt BIOS update was the culprit here – while Windows will suspend Bitlocker to do the update, the suspended state will go away as soon as Windows boots back up. Something else must've been misconfigured for Bitlocker to not be active (thinking about it, is it possible that Bitlocker was never activated at all – on modern computers, Windows will often enable Bitlocker by default, but until you activate it, it'll remain suspended).
Show threadJernej Simončič �Apr 21, 2023
@sensepost Hint: you can use dislocker on Linux to mount Bitlocker volumes (if Bitlocker is suspended, it should mount without requiring a password).
GitHub - Aorimn/dislocker: FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX

FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX - Aorimn/dislocker

GitHub