FW-EVIL-MAIDInitial Access

Evil Maid Boot Tamper

Brief physical access lets an attacker modify the bootloader / EFI partition / BitLocker decryption ceremony to capture passphrase or implant.

§ Where this technique fits

FW-EVIL-MAID is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 1 on average.

§ Dossiers chaining this technique

Evil maid → sniff TPM unseal → decrypt BitLocker offline
Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.
step 1 / 6

§ What commonly comes next

01
UART Debug Console
IOT-UART-CONSOLE · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Evil maid → sniff TPM unseal → decrypt BitLocker offline

§ What commonly comes next