GreatXML Windows Zero-Day Turns Defender Offline Scan Into a BitLocker Backdoor

The post-compromise technique abuses Windows Recovery Environment to create persistent access to BitLocker-encrypted data, with no patch currently available.

According to the Cyderes Howler Cell team, a newly disclosed Windows zero-day called GreatXML can turn Microsoft Defender’s offline scanning process into a pathway for accessing BitLocker-encrypted data without a recovery key or user credentials.

The technique targets the interaction between Windows Recovery Environment, known as WinRE, Microsoft Defender Offline and Windows answer files. According to research from Cyderes, an attacker with administrator privileges can place a malicious unattend.xml file and modified recovery components on the Windows recovery partition.

When the device later boots into WinRE, the malicious answer file can execute before normal authentication and BitLocker protections are enforced. This produces a command shell with access to the encrypted Windows volume.

GreatXML is not an initial access vulnerability. An attacker must already have administrator-level control of the affected computer to place the required files on the recovery partition. Its primary value is persistence. The planted files can remain after passwords are changed, remote access is removed or the main operating system is reinstalled.

“GreatXML survives incident response. Plant two files with admin access, walk away. Credential rotation, re-imaging the OS, none of it touches what's sitting on the recovery partition,” said Brian Hussey, senior vice president of Cyber Fusion at Cyderes.

The proof of concept was published June 11 by a researcher using the MSNightmare handle. Cyderes said its Howler Cell research team verified the technique on a fully patched Windows 11 system. The vulnerability currently has no CVE identifier, and Microsoft has not released a patch addressing the underlying behavior.

The attack also requires the system to enter the WinRE state associated with a Microsoft Defender Offline scan. Once the malicious components are present, the attacker or someone with physical access can initiate a recovery boot through the Windows lock screen.

GreatXML is the latest tool associated with the Nightmare-Eclipse collection of Windows exploits. The cluster has targeted components including Microsoft Defender, BitLocker and CTFMON, suggesting a focus on weakening multiple layers of Windows endpoint security.

“Nightmare-Eclipse isn't dropping random exploits. Six of eight tools hit components Microsoft markets as security guarantees: Defender, BitLocker, CTFMON. That's a deliberate dismantling of the endpoint security stack,” Hussey said.

The collection also includes several privilege-escalation techniques that can provide SYSTEM-level access through different Windows components. That redundancy may make the toolkit more dependable across organizations running varied hardware, configurations and Windows versions.

“Four independent privilege escalation primitives across three subsystems. That's not a researcher's dump. That's an operator toolkit built for reliability across a mixed enterprise estate,” Hussey said.

Because GreatXML requires elevated access, organizations should treat it as a potential second-stage capability following an earlier compromise. Cyderes recommends monitoring for unattend.xml files written to the root of the recovery partition, particularly when the activity does not originate from Windows Update or a legitimate recovery process.

Security teams should also investigate unexpected recovery partition modifications, newly created Recovery or WindowsRE directories, and Defender Offline scans initiated from user-controlled processes.

“No patch exists. The only detection window is Stage 1, file placement on the recovery partition. If you're not monitoring for unattend.xml writes outside Windows Update context, you won't see this coming,” Hussey said.

The findings highlight a difficult problem for incident responders. Reimaging the primary Windows partition may not remove malicious artifacts stored separately in the recovery environment. Organizations investigating privileged Windows compromises may need to inspect and rebuild recovery partitions rather than assuming a standard operating system reinstallation has eliminated persistence.