HeadlinesBriefing favicon HeadlinesBriefing.com

BlueHammer Zero-Day: Windows Defender Exploit Grants SYSTEM Access

Hacker News •
×

A zero-day exploit called BlueHammer has been publicly released on GitHub, allowing attackers to gain SYSTEM-level access on Windows 10 and 11 machines through Windows Defender's update process. The vulnerability chains together five legitimate Windows components - Windows Defender, Volume Shadow Copy Service, Cloud Files API, opportunistic locks, and Defender's RPC interface - without requiring traditional memory corruption or kernel exploits.

Published under the alias Chaotic Eclipse after a dispute with Microsoft's Security Response Center, the exploit requires a pending Defender signature update to function. The attack works by creating a shadow copy during Defender's definition update, registering as a Cloud Files sync provider, and using opportunistic locks to freeze Defender while extracting password hashes from the SAM database. The entire chain executes in under a minute from a standard user session.

Microsoft has only released a detection signature for the specific compiled binary, which does not address the underlying technique. Security researchers confirm the exploit works on fully patched systems, and the GitHub repository has already garnered significant attention with over 100 forks. Organizations should monitor for suspicious Volume Shadow Copy access, Cloud Files registration, and rapid password changes on administrator accounts while awaiting an official patch.