Evandrel's Homepage

https://www.pcl2.top

How a Windows Defender Zero-Day Let Attackers Escalate to SYSTEM

This post is for educational and research purposes only. Do not attempt to reproduce or run this exploit on any production, personal, or unauthorized systems. Doing so may violate laws and expose you to legal risks. The vulnerability is patched. always keep your Defender and Windows updated. I strongly recommend running experiments only in isolated virtual machines with proper snapshots. Stay ethical and responsible.

BlueHammer (CVE-2026-33825) is a beautiful and scary example of how legitimate Windows features can be chained together for Local Privilege Escalation from a standard user all the way to NT AUTHORITY\SYSTEM.

The Story

On April 3, 2026, a researcher known as Chaotic Eclipse publicly released a working PoC after growing frustrated with Microsoft’s coordinated disclosure process. No CVE at first and no patch. It is a true zero-day with full exploit code.

Microsoft eventually assigned CVE-2026-33825 and fixed it in the April 2026 Patch Tuesday via a Defender Antimalware Platform update for version 4.18.26050.3011 or newer.

The exploit was quickly used in the wild, and the community even improved the original PoC.

How it works

This isn’t a memory corruption or kernel exploit. It’s a TOCTOU race condition combined with clever abuse of trusted Windows components such as

  • VSS
  • oplocks
  • cloud files API
  • NTFS Junctions
  • Defender remediation pipeline

Detailed step-by-step flow based on public analyses of the PoC

  1. The exploit queries the Windows Update Agent COM interfaces to check for a pending Microsoft Defender Antivirus definition update. This is a prerequisite cuz the vulnerable remediation workflow only triggers reliably during signature updates
  2. Trigger Defender Remediation and VSS Snapshot
    • Drop a detectable test file (EICAR-like string in foo.exe or similar) in a temporary directory to force real time protection scanning
      Place a batch oplock on RstrtMgr.dll which is a DLL Defender accesses during remediation
    • When Defender touches the file, the oplock breaks, signaling activity
    • A background thread polls \\Device via NtQueryDirectoryObject to detect the new HarddiskVolumeShadowCopy* device created by VSS
  3. Register Cloud Files Sync Root
    • Register the current directory as a Cloud Files sync root using CfRegisterSyncRoot and CfConnectSyncRoot
    • Drop a placeholder .lock file. When Defender enumerates the directory and accesses it, the CF_CALLBACK_TYPE_FETCH_PLACEHOLDERS callback fires.
    • The callback checks the caller PID to confirm it’s the WinDefend / MsMpEng.exe (SYSTEM) process.
    • Immediately acquire a second batch oplock on the .lock file and hold it. Defender blocks on GetOverlappedResult, stalling the process while the VSS snapshot remains mounted.
  4. Path Redirection
    • With Defender paused, manipulate the filesystem
      • Set an oplock on a key update file like mpasbase.vdm in the temporary update directory.
      • When triggered, rename/move the update directory.
      • Recreate the directory as an NTFS junction pointing to a controlled location
      • Create an Object Manager symbolic link inside it pointing to the VSS snapshot path of the protected registry hive
    • this creates TOCTOU.
  5. Privileged Read
    • Defender resumes its operation and running as SYSTEM, reads the SAM database from the VSS snapshot. The exploit receives the contents
  6. Credential Extraction
    • Reconstruct the boot key from the SYSTEM hive.
    • Decrypt LSA secrets and extract NTLM hashes from the SAM hive.
    • Use SamiChangePasswordUser to change the local Administrator password temporarily.
    • Log on with the new credentials, duplicate the token, elevate integrity to SYSTEM.
    • Create a temporary Windows service to spawn a cmd.exe running as NT AUTHORITY\SYSTEM.
    • Restore the original password to clean up traces.

The entire chain relies on precise timing and native Windows features.

Actions that you must take immediately

  1. Update Microsoft Defender Antimalware Platform to version 4.18.26050.3011 or higher.
  2. Enable ASR rules. official Microsoft ASR documentation
  3. Use standard user accounts for daily work and isolate test machines.

Update your system NOW if you haven’t.

If you attempt to run the publicly available proof-of-concept code on a fully updated system , the exploit will fail to achieve privilege escalation.

As shown below, instead of spawning an escalated shell, the payload will simply hang in an infinite loop because the underlying race condition has been neutralized:

Further Research

Cyderes: BlueHammer Vulnerability Deep-Dive

Vectra AI: When the Defender Becomes the Door
MSRC: CVE-2026-33825 Security Advisory

The End

www.pcl2.top

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *