BlueHammer: Windows Defender 0‑Day Exploit

The ICS Labs CTI identified the disclosure of BlueHammer, a sophisticated exploit chain that abuses legitimate Windows components particularly the Microsoft Defender update workflow to achieve privilege escalation to SYSTEM and extraction of sensitive credentials.The attack combines living-off-the-land techniques, filesystem manipulation, and the use of Volume Shadow Copy Service (VSS) snapshots, making detection more challenging.The exploit was discovered and publicly disclosed by a security researcher dissatisfied with Microsoft’s vulnerability management process. As of now, there is no patch addressing the flaws abused by this exploitation chain.

Execution Chain

The attack begins by monitoring Windows Update and waiting for a legitimate Defender update to operate within a trusted context. Once available, the update package is downloaded and manually extracted, allowing the attacker to manipulate its contents.

Next, the exploit forces Defender activity using an EICAR string and triggers the creation of a VSS snapshot, enabling access to protected files. In parallel, it performs RPC calls to Defender’s internal service (MpService), redirecting the update process to an attacker-controlled directory.

The exploitation culminates through the use of NTFS junctions and symbolic links, causing Defender to access files different from those expected characterizing a confused deputy attack. As a result, the SAM file is accessed from the snapshot, allowing the extraction of NTLM hashes.

Finally, the hashes are used in Pass-the-Hash techniques for authentication and lateral movement, culminating in code execution with SYSTEM privileges.

Impact

• Local privilege escalation to SYSTEM

• Extraction of NTLM hashes

• Potential for lateral movement

• Full compromise of the affected host

• Risk of domain compromise

Relationship with NTLM and Kerberos

Environments that use Kerberos are not automatically protected against this attack. Although Kerberos is more secure, NTLM often remains enabled as a fallback mechanism, allowing techniques such as Pass-the-Hash to remain viable.

If NTLM is enabled, an attacker can authenticate directly using NTLM hashes without needing the plaintext password. Even in Kerberos-dominant environments, there is still a risk of escalation to attacks such as Pass-the-Ticket if higher-privilege credentials are compromised.

Behavioral IoCs

• Unusual creation of VSS snapshots outside standard routines

• Access to the SAM file via indirect paths or shadow copies

• Creation and manipulation of NTFS junctions and symlinks in temporary directories

• Execution of unusual RPC calls to the MpService

• Defender activity outside normal patterns during update processes

• Presence of update artifacts manually extracted into temporary directories

Recommendations for Security Teams

Mitigation recommendations for this type of threat should follow a defense-in-depth approach, combining hardening, monitoring, and behavioral detection. The attack surface should be reduced by applying the principle of least privilege, ensuring users and services do not operate with excessive permissions, and by enabling credential protection mechanisms such as Credential Guard and LSASS protection.

Another critical point is reducing reliance on the NTLM protocol. Whenever possible, NTLM should be disabled or heavily restricted, as techniques like Pass-the-Hash depend directly on it for authentication. In environments where NTLM is still required, it is essential to monitor and audit its usage, identifying suspicious or anomalous authentications.

From a visibility standpoint, continuous monitoring of activities related to VSS is essential, especially the creation of snapshots outside known administrative routines. Access to sensitive files such as SAM, SYSTEM, and SECURITY should be strictly audited, with alerts generated for indirect reads or access by untrusted processes. Likewise, the creation and manipulation of NTFS junctions and symbolic links, particularly in temporary directories, should be closely monitored, as these structures can be abused for malicious path redirection.

Additionally, unusual calls to internal system services, such as Defender’s MpService via RPC, should be treated as potential indicators of compromise when originating from unexpected processes. The adoption of EDR or XDR solutions with behavioral analytics capabilities is critical in this scenario, as they enable correlation of seemingly legitimate events such as VSS creation, symlink manipulation, and access to sensitive files.

Finally, the implementation of continuous threat hunting practices is recommended to identify patterns associated with this type of attack, such as manual extraction of update artifacts, anomalous Defender behavior, and indirect access to the SAM via shadow copies. The combination of these measures significantly enhances prevention, detection, and response capabilities against sophisticated threats like this one.

Sources:

• Researcher Releases Windows Defender 0-Day Exploit Granting Full System Access | Cyber Press

• BlueHammer: What the Code Actually Does and Why It Matters | RedPacket Security

• Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit | Bleeping Computer

• BlueHammer | Github