BlueHammer abuses Windows Defender's update process to gain SYSTEM access
6 hours ago
- #Zero-Day Exploit
- #Windows Security
- #Privilege Escalation
- BlueHammer is a zero-day exploit targeting Windows Defender, chaining five legitimate Windows components to achieve privilege escalation from low-privileged accounts to SYSTEM level.
- The exploit was publicly disclosed by a researcher under the alias Chaotic Eclipse, with full source code on GitHub, after Microsoft allegedly broke an agreement.
- BlueHammer requires a pending Defender signature update to trigger; it leverages Defender's update process, Volume Shadow Copy, Cloud Files API, opportunistic locks, and Defender's RPC interface.
- It works by freezing Defender during a signature update, accessing the SAM database via a shadow copy, decrypting NTLM hashes, changing an admin password, and spawning a SYSTEM command prompt before restoring the original password hash.
- Microsoft has only released a signature update that detects the original compiled binary, but the technique remains undetected; there is no patch or CVE, and the exploit is confirmed working on fully updated Windows 10 and 11.
- Security measures to detect BlueHammer include monitoring for VSS enumeration by user processes, Cloud Files sync root registration by unknown processes, and alerts on local admin password changes or service creation.