[bayindirh]

From the official analysis [0]:

> The next feature deactivated by the installer is BitLocker Drive Encryption. The reason for this is that BitLocker can be used in a combination with Trusted Platform Module (TPM) to ensure that various boot files and configurations, including Secure Boot, haven’t been tampered with since BitLocker drive encryption was configured on the system. Considering that the installer modifies the Windows boot chain on a compromised machine, keeping BitLocker on for systems with TPM support would lead to a BitLocker recovery screen at the next bootup and would tip the victim off that the system had been compromised.

[0]: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

[moremetadata]

> [0]: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

So how do you remove it?

[jeroenhd]

Disable-Bitlocker should do the trick: https://learn.microsoft.com/en-us/powershell/module/bitlocke...

Obviously requires admin permissions on a running host, but if you're injecting into the bootloader you're already admin (or you can get it easily).

[moremetadata]

So doesnt things like windows defender offline scans and other offline scans where the HD bitlocker codes is typed in manually not detect the rootkit?

Half the problem I find with these security products is knowing what their actual abilities are and inabilities. I've assumed wrongly in the past that some security products are doing things when in fact they are not, and thats obviously an area for exploitation.

[mavhc]

Bitlocker? If you're Admin in Windows you can just unencrypt your drive