“If Defender offline scan was initiated within the sufferer machine at any level then there is no such thing as a must login, the machine is routinely weak,” the researcher, who goes on-line by the identify Nightmare Eclipse or Chaotic Eclipse, mentioned within the exploit notes. “If Defender offline scan was by no means initiated then it’s important to both login and provoke it your self or work out a method to boot into WinRE in offline scan state (I consider it needs to be very potential to take action with out logging in).”
The requirement to log in is related right here, as a result of a system drive encrypted with BitLocker will likely be unlocked and decrypted when the consumer logs in. Nevertheless, the entire level of a BitLocker bypass is to achieve entry to the unencrypted drive with out having the credentials to log in, for instance on a stolen laptop computer.
On machines the place an offline Home windows Defender scan was carried out up to now, the exploitation is meant to work by copying two recordsdata (unattend.xml and Restoration/WindowsRE/ReAgent.xml) offered by Nightmare Eclipse to the WinRE partition — this may be carried out from exterior the OS as a result of the WinRE partition shouldn’t be encrypted — after which restart the system in WinRE mode.
“If every thing was carried out accurately, a shell with unrestricted entry to the BitLocker quantity will spawn,” Nightmare Eclipse mentioned.
