Back to Intelligence

GreatXML: Detecting BitLocker Bypass via Windows Recovery Environment

SA
Security Arsenal Team
June 11, 2026
7 min read

A critical security weakness dubbed ‘GreatXML’ has emerged, exposing a fundamental flaw in how Windows protects encrypted data during recovery operations. This unpatched issue allows attackers to bypass BitLocker encryption entirely by leveraging the Windows Recovery Environment (WinRE) and Microsoft Defender’s offline scanning capabilities.

For defenders, this is a nightmare scenario: BitLocker, our primary control for data-at-rest protection, is rendered null and void if an attacker can trigger a reboot into Recovery Mode. Because this vulnerability leverages a trusted operating system component (Defender Offline) to execute code at the SYSTEM level, traditional signature-based defenses are often blind to the attack chain. Immediate action is required to audit access to recovery partitions and mitigate this vector until a patch is released.

Technical Analysis

The ‘GreatXML’ Exploit Mechanism The attack targets the interplay between the Windows Recovery Environment (WinRE) and Microsoft Defender’s offline scanner (MpCmdRun.exe).

  1. Attack Vector: The attacker requires local access or the ability to write files to the system’s recovery partition or the main file system before a reboot is triggered.
  2. The Trigger: A crafted XML file is placed on the disk. When the system is rebooted into Recovery Mode (WinRE), the environment automatically initiates an offline malware scan using Defender.
  3. Exploitation: The Defender offline scan parses the crafted XML file. Due to a parsing flaw, it is tricked into executing a malicious command contained within the file.
  4. Impact: This execution occurs within the context of the WinRE environment, which runs with SYSTEM privileges and has full, unencrypted access to the OS drive (BitLocker is automatically suspended to allow the recovery/boot process).

Affected Components:

  • Platform: Windows 10 and Windows 11 (Versions utilizing WinRE).
  • Component: Windows Recovery Environment (WinRE) and Microsoft Defender Offline.
  • Status: Unpatched. Proof-of-Concept (PoC) code is available in the wild demonstrating the ability to spawn a SYSTEM shell.

Why This Matters: This is not just a theoretical privilege escalation. It completely undermines the trust model of Full Disk Encryption (FDE). An attacker who gains momentary physical access or compromises a user account can plant the payload, force a reboot, and gain full access to the decrypted file system, bypassing BitLocker entirely.

Detection & Response

Detecting this attack requires a shift in strategy. We cannot rely solely on detecting the exploit inside WinRE, as logging is often limited in that minimal environment. Instead, we must focus on the precursor activities: the placement of the malicious XML files and anomalous behavior by the Defender offline binary when it transitions back to the standard OS.

SIGMA Rules

The following Sigma rules target the writing of suspicious payloads to paths accessible by WinRE and the anomalous process spawning behavior of the Defender offline scanner.

YAML
---
title: GreatXML - Suspicious File Creation in Recovery Paths
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects the creation of crafted XML files in directories commonly accessed by WinRE or Defender Offline, potentially indicative of the GreatXML exploit setup.
references:
  - https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
author: Security Arsenal
date: 2026/10/24
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Recovery\'
      - '\Windows\System32\Recovery\'
    TargetFilename|endswith:
      - '.xml'
  condition: selection
falsepositives:
  - Legitimate system recovery tools creating configuration files
level: high
---
title: GreatXML - Defender Offline Spawning Shell
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects Microsoft Defender Offline tool (MpCmdRun.exe) spawning cmd.exe or powershell.exe, indicative of a command execution exploit via offline scan.
references:
  - https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
author: Security Arsenal
date: 2026/10/24
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\MpCmdRun.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  filter_legit:
    CommandLine|contains: 'Scan' # Fallback for standard scanning operations
  condition: selection and not filter_legit
falsepositives:
  - Rare administrative usage of MpCmdRun for scripts
level: critical

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for file modifications to the Recovery partition and suspicious process lineage involving the Defender binary.

KQL — Microsoft Sentinel / Defender
// Hunt for modifications to Recovery Partition or suspicious Defender child processes
let FileCreationEvents = materialize(
    DeviceFileEvents
    | where Timestamp > ago(7d)
    | whereFolderPath contains @"\Recovery\" 
        or FolderPath contains @"\System32\Recovery\"
    | where FileName endswith @".xml"
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, ActionType, SHA256
);
let ProcessEvents = materialize(
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName == "MpCmdRun.exe"
    | where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
);
union FileCreationEvents, ProcessEvents
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of suspicious XML files in the recovery environment directories on the disk.

VQL — Velociraptor
-- Hunt for GreatXML indicators in Recovery directories
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*Recovery*/**/*.xml")
WHERE Mtime > now() - 7d
   OR Size < 1024

-- Check for WinRE configuration tampering
SELECT FullPath, Size, Mtime, Data
FROM glob(globs="C:/Windows/System32/Recovery/*.xml")
WHERE Mtime > now() - 30d

Remediation Script (PowerShell)

This script audits the WinRE configuration and offers a mitigation strategy by disabling automatic repair boot entry if necessary, or identifying vulnerable recovery partitions.

PowerShell
# GreatXML Mitigation Audit
# Requires Administrator Privileges
Write-Host "[+] Auditing WinRE Status for GreatXML Vulnerability..." -ForegroundColor Cyan

# Check if WinRE is enabled
$reAgentC = Get-Content -Path "$env:windir\System32\Reagentc.xml" -ErrorAction SilentlyContinue
if ($reAgentC) {
    Write-Host "[!] ReAgentC configuration found." -ForegroundColor Yellow
    # Parse for WinRE location (simplified check)
    if ($reAgentC -like "*WinRE*") {
        Write-Host "[+] WinRE is Enabled. System is potentially vulnerable to BitLocker Bypass via Recovery Mode." -ForegroundColor Red
    }
} else {
    Write-Host "[-] ReAgentC not found or WinRE disabled." -ForegroundColor Green
}

# Check Recovery Partition Access
$recoveryPartitions = Get-Partition | Where-Object { $_.Type -eq 'Recovery' }
if ($recoveryPartitions) {
    Write-Host "[!] Recovery Partitions Detected:" -ForegroundColor Yellow
    foreach ($part in $recoveryPartitions) {
        Write-Host "    - Disk #: $($part.DiskNumber), Partition #: $($part.PartitionNumber), Size: $($part.Size)"
        Write-Host "    ACTION: Ensure access ACLs on this partition are restricted to SYSTEM and Administrators only."
    }
}

# Mitigation Step: Disable WinRE (Use with caution - impacts recovery)
# Uncomment the line below to apply mitigation strictly if WinRE is not critical for ops
# reagentc /disable

Remediation

As of this publication (2026), there is no official patch for the ‘GreatXML’ vulnerability. Defensive teams must implement the following mitigations immediately:

  1. Secure the Recovery Partition: Ensure the ACLs on the Recovery Partition (and the directory C:\Windows\System32\Recovery) are strictly restricted. Remove write access for non-administrative users.
  2. Disable WinRE (Where Feasible): For high-security environments where recovery data is backed up via other methods (e.g., imaging solutions), consider disabling the Windows Recovery Environment using the command reagentc /disable. This stops the attack vector by preventing the system from entering the vulnerable recovery mode.
  3. Update Defender Platform: While the OS component (WinRE) is vulnerable, ensure the Microsoft Defender platform is updated to the latest version. In some cases, Defender heuristic updates can detect malicious XML patterns before parsing.
  4. Physical Security: Reinforce physical access controls. Since this attack often requires local access to trigger a reboot or place files, strict physical security prevents the initial stage of the attack.
  5. Monitor for Reboots: Configure alerts for unexpected system reboots or failures, as these may indicate an attacker attempting to force the system into Recovery Mode to exploit the vulnerability.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchbitlockerzero-daywinre

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action