A new security bypass technique dubbed "GreatXML" has been disclosed by researcher Chaotic Eclipse (aka Nightmare-Eclipse), revealing a critical weakness in how Windows handles recovery partition XML files. This finding allows attackers to bypass Windows BitLocker encryption, undermining a foundational control for endpoint security.
Discovered accidentally in just four hours—following a separate Microsoft Defender issue—GreatXML demonstrates that the Windows Recovery Environment (WinRE) and its associated XML configurations can be weaponized to bypass Full Volume Encryption (FVE). For defenders, this is an urgent wake-up call: BitLocker alone is insufficient if the underlying recovery partitions and configurations are not hardened against physical tampering.
Technical Analysis
Affected Products and Platforms:
- OS: Windows 10, Windows 11, and Windows Server versions utilizing BitLocker and a dedicated Recovery Partition (WinRE).
- Mechanism: The attack leverages XML files associated with the Windows Recovery Environment and, specifically, artifacts related to the "Windows Defender Offline Scan" functionality.
How the Vulnerability Works: The GreatXML technique exploits the trust relationship between the main OS and the Recovery Partition. In a typical attack chain:
- Physical Access: An attacker gains physical access to a powered-off or locked device.
- WinRE Entry: The attacker boots into the Windows Recovery Environment (WinRE), often via interrupting the boot process.
- XML Manipulation: The attacker navigates to the recovery partition and identifies specific XML files used by Windows for offline scanning or recovery configuration. By modifying these XML files—injecting malicious commands or altering configuration parameters—the attacker tricks the system into executing code with elevated privileges or altering the boot state.
- Bypass Execution: Upon reboot or execution of the specific recovery task (e.g., triggering an offline scan), the malicious XML payload is executed. This can result in dumping clear-text credentials, disabling the TPM protector, or launching a reverse shell, effectively rendering BitLocker encryption moot.
Exploitation Status: As of June 2026, this is a Proof-of-Concept (PoC) released by a security researcher. While no in-the-wild active exploitation campaigns have been confirmed at the time of writing, the low barrier to entry (physical access + simple file edit) means defenders should assume it is already in use by sophisticated physical adversaries and law enforcement.
Detection & Response
Detecting this attack requires monitoring for the precursors of recovery environment tampering. Since the attack primarily occurs within WinRE (which has limited logging), the focus is on detecting the preparation phase (accessing/mounting the recovery partition from within Windows) and the indicators of XML modification.
SIGMA Rules
---
title: Potential Recovery Partition Mounting via Diskpart
id: 9c8f1b23-4d5e-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to mount the recovery partition using diskpart, a common precursor to GreatXML attacks.
references:
- https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_diskpart:
Image|endswith: '\diskpart.exe'
selection_mount:
CommandLine|contains:
- 'assign letter='
- 'mount'
selection_recovery:
CommandLine|contains:
- 'recovery'
- 'hidden'
- 'protected'
condition: all of selection_*
falsepositives:
- Legitimate IT administration of recovery partitions
level: high
---
title: Modification of WinRE or Offline Scan XML Files
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects modifications to XML files in the Windows Recovery or Defender Offline scan directories.
references:
- https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: file_change
product: windows
detection:
selection_paths:
TargetFilename|contains:
- '\Windows\System32\Recovery\'
- '\Windows\WinSxS\'
- '\Recovery\WindowsRE\'
selection_ext:
TargetFilename|endswith: '.xml'
selection_ops:
Operation:
- 'File Modified'
- 'File Renamed'
condition: all of selection_*
falsepositives:
- Windows Updates modifying recovery components
- Legitimate recovery tool usage
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious access to Recovery Partition configurations
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "diskpart" and ProcessCommandLine contains "assign") or
(ProcessCommandLine contains "mountvol" and ProcessCommandLine contains "recovery")
| extend DiskPartCommand = extract(@'(assign\sletter=\w)', 0, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, DiskPartCommand
| order by Timestamp desc
// Monitor for modifications to XML files in sensitive system/recovery paths
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed")
| where FolderPath has "Recovery" or FolderPath has "WinSxS"
| where FileName endswith ".xml"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ActionType
| order by Timestamp desc
Velociraptor VQL
-- Hunt for recent modifications to Recovery Partition XML files
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="C:/Windows/System32/Recovery/**/*.xml")
WHERE Mtime > now() - ISO8601Duration("P7D")
-- Hunt for Windows Defender Offline Scan artifacts in WinRE
SELECT FullPath, Mtime, Size
FROM glob(globs="C:/Windows/WinSxS/**/*.xml")
WHERE FullPath =~ "Defender" AND Mtime > now() - ISO8601Duration("P7D")
Remediation Script (PowerShell)
<#
.SYNOPSIS
Audit and Hardening Script against GreatXML Bypass
.DESCRIPTION
Checks BitLocker status, verifies Recovery Partition integrity, and alerts on recent XML modifications.
#>
Write-Host "[+] Starting GreatXML Hardening Audit..." -ForegroundColor Cyan
# 1. Check BitLocker Status
Write-Host "[+] Checking BitLocker Status..." -ForegroundColor Cyan
$BitLockerStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object MountPoint, VolumeStatus, ProtectionStatus, KeyProtector
if ($BitLockerStatus.ProtectionStatus -eq "On") {
Write-Host " [OK] BitLocker is ON for C:" -ForegroundColor Green
# Check for TPM + PIN (Strong) vs TPM Only (Weak against physical DMA/hardware attacks)
if ($BitLockerStatus.KeyProtector.KeyProtectorType -contains "RecoveryPassword" -and $BitLockerStatus.KeyProtector.KeyProtectorType -contains "TPM") {
Write-Host " [WARN] System relies on TPM only. Consider enabling TPM+PIN." -ForegroundColor Yellow
}
} else {
Write-Host " [CRITICAL] BitLocker is OFF." -ForegroundColor Red
}
# 2. Audit Recovery Partition Access Permissions (Basic Check)
Write-Host "[+] Auditing Recovery Partition ACLs..." -ForegroundColor Cyan
$RecoveryPath = "C:\Windows\System32\Recovery"
if (Test-Path $RecoveryPath) {
$Acl = Get-Acl $RecoveryPath
$Acl.Access | Where-Object { $_.IdentityReference -notmatch "SYSTEM|Administrators|TrustedInstaller" -and $_.FileSystemRights -notmatch "Read" } |
Format-List IdentityReference, FileSystemRights
} else {
Write-Host " [INFO] Standard recovery path not found (Custom config?)." -ForegroundColor Gray
}
# 3. Check for recently modified XML files in Recovery Paths
Write-Host "[+] Checking for recent XML modifications in System/Recovery paths..." -ForegroundColor Cyan
$DateThreshold = (Get-Date).AddDays(-7)
$SuspiciousFiles = Get-ChildItem -Path "C:\Windows\System32\Recovery", "C:\Windows\WinSxS" -Filter *.xml -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $DateThreshold }
if ($SuspiciousFiles) {
Write-Host " [ALERT] Found recently modified XML files:" -ForegroundColor Red
$SuspiciousFiles | Format-Table FullName, LastWriteTime, Length
} else {
Write-Host " [OK] No suspicious recent XML modifications found." -ForegroundColor Green
}
Write-Host "[+] Audit Complete." -ForegroundColor Cyan
Remediation
To mitigate the risk of the GreatXML bypass and similar physical access attacks, implement the following controls immediately:
-
Implement TPM + PIN: The single most effective mitigation against physical BitLocker bypasses is enabling the "Enhanced PIN" feature in Group Policy (
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Use enhanced PIN for startup). This requires the attacker to know the PIN even if they break the encryption chain. -
Disable or Secure WinRE: If the recovery environment is not strictly required for endpoint operations, disable it:
- Run
reagentc /disableas Administrator. - This removes the WinRE boot entry, preventing the attacker from entering the recovery environment easily.
- Run
-
Encrypt the Recovery Partition: By default, the recovery partition is often unencrypted. Use BitLocker to encrypt custom recovery partitions if they exist, or ensure your OEM configurations do not expose sensitive XMLs in clear text.
-
Secure Boot Verification: Ensure Secure Boot is strictly enabled and cannot be tampered with from the firmware (UEFI) without a BIOS password.
-
Physical Security Controls: Reiterate that encryption protects data at rest against device theft, not against a dedicated attacker with physical access and time. Ensure facilities enforce physical access controls (laptop cables, secure server rooms).
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.