Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The exploit is named GreatXML, after the malicious Windows answer file at the center of the attack. GreatXML is a BitLocker bypass. It abuses the state that Windows Recovery Environment enters after Microsoft Defender's offline scan has been used on a machine.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
GreatXML is a design-level abuse of three intersecting Windows behaviors: how WinRE processes Windows answer files... The critical execution occurs in the windowsPE pass, which runs in the pre-OS WinRE environment before any user interaction.
With the files planted and the machine in offline-scan WinRE state, the trigger is trivial and requires no credentials... On the WinRE boot, the offline-scan state causes WinRE to process the malicious unattend.xml. The windowsPE pass commands execute, the staging script runs, and a console shell spawns with access to the BitLocker-encrypted volume.
You will have to copy “unattend.xml” and “Recovery” directory to the root of the recovery partition then reboot to WinRE using shift + click on restart button, if everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn.
GreatXML is a design-level abuse of three intersecting Windows behaviors: how WinRE processes Windows answer files... The critical execution occurs in the windowsPE pass, which runs in the pre-OS WinRE environment before any user interaction.
On June 10, security researcher Chaotic Eclipse ... published a new working exploit dubbed GreatXML ... that bypasses BitLocker and opens a command shell with full SYSTEM privileges while Windows is in Recovery Mode.
You will have to copy “unattend.xml” and “Recovery” directory to the root of the recovery partition then reboot to WinRE using shift + click on restart button, if everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn.
With a malicious unattend.xml and a modified Recovery directory planted at the root of the recovery partition, the next entry into WinRE via Shift + Restart spawns a shell with unrestricted access to the BitLocker-encrypted volume.
Credential rotation, password resets, and loss of remote access do not remove the planted artifacts.
WinRE processes it natively during its boot sequence. The malicious version instructs WinRE to execute commands that spawn a shell environment with access to the BitLocker volume.
With the files planted and the machine in offline-scan WinRE state, the trigger is trivial and requires no credentials... On the WinRE boot, the offline-scan state causes WinRE to process the malicious unattend.xml. The windowsPE pass commands execute, the staging script runs, and a console shell spawns with access to the BitLocker-encrypted volume.
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.