RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse

MITRE Techniques

• [T1546.012] Event Triggered Execution: Image File Execution Options Injection – The chain abuses Windows Error Reporting and scheduled-task-driven execution to launch attacker-controlled code under SYSTEM (‘trigger the QueueReporting scheduled task… The task executes wermgr.exe… and spawns a shell’).
• [T1098] Account Manipulation – GreatXML uses an answer file and recovery-partition changes to persistently alter system recovery behavior (‘persistent, hidden modification’ and ‘write unattend.xml + RecoveryWindowsRE to recovery partition’).
• [T1053.005] Scheduled Task/Job: Scheduled Task – RoguePlanet triggers the Windows Error Reporting QueueReporting scheduled task to execute its payload (‘The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task’).
• [T1027] Obfuscated Files or Information – The exploit hides malicious behavior inside legitimate-looking system binaries and directories, including a fake System32 path and reused wermgr.exe naming (‘structurally identical to… C:WindowsSystem32wermgr.exe’).
• [T1036] Masquerading – The payload is made to resemble a trusted Windows binary and path to mislead defenders (‘wermgr.exe… resides in %TEMP%… structurally identical to the legitimate system binary’).
• [T1091] Replication Through Removable Media – The malicious ISO is mounted as part of the exploit workflow, introducing external media-style execution context (‘mounts an embedded ISO image’).
• [T1543] Create or Modify System Process – The chain abuses trusted system services and remediation workflows to run attacker content as SYSTEM (’cause a SYSTEM-level scheduled task to execute an attacker-controlled binary’).
• [T1112] Modify Registry – GreatXML relies on WinRE and offline-scan state handling tied to system configuration changes (‘the offline-scan boot state changes that processing context’).
• [T1003] OS Credential Dumping – Not directly evidenced as dumping, but the article references SYSTEM shell and LSASS-related noise only as incidental; no clear primary use is described, so this technique is not strongly supported and should be treated as absent.
• [T1211] Exploitation for Defense Evasion – RoguePlanet manipulates Defender’s own workflow to alter remediation behavior (‘actively manipulating Defender’s workflow’).
• [T1055] Process Injection – Not described in the article; no confirmed process injection behavior is present, so this technique is not supported.
• [T1021] Remote Services – The article mentions remote access revocation and physical/console trigger paths, but not remote-service abuse; no direct evidence supports this technique.
• [T1218] System Binary Proxy Execution – The exploit uses trusted Windows binaries and workflows such as wermgr.exe and conhost.exe to execute attacker-controlled content (‘launches a console shell… with SYSTEM privileges’).
• [T1564.001] Hide Artifacts: Hidden Files and Directories – GreatXML places files on a hidden recovery partition and RoguePlanet uses hidden temp-based structures (‘hidden partition’ and ‘fake System32 in user-writable path’).
• [T1070.004] File Deletion – RoguePlanet performs rapid create/modify/rename/delete cycles across temporary directories (‘high-frequency file churn… create, modify, rename, and delete cycles’).
• [T1074.001] Local Data Staging – GreatXML stages files on the recovery partition for later use (‘the artifacts… survive credential rotation’).
• [T1106] Native API – RoguePlanet uses low-level Windows APIs like NtSetInformationFile and NT file APIs (‘using low-level NT file APIs’ and ‘NtSetInformationFile with FileRenameInformationEx’).
• [T1021.006] Windows Remote Management – Not mentioned in the article; no evidence supports this technique.
• [T1548] Abuse Elevation Control Mechanism – RoguePlanet achieves privilege escalation by abusing trusted system behavior rather than kernel exploitation (‘standard user to obtain SYSTEM-level execution’).