Threat Research

One More Race to SYSTEM: RoguePlanet Extends the BlueHammer–RedSun–Plasma Lineage

LogPoint
One More Race to SYSTEM: RoguePlanet Extends the BlueHammer–RedSun–Plasma Lineage
Chaotic Eclipse (also known as Nightmare Eclipse) released RoguePlanet, a Windows local privilege escalation proof of concept that abuses a TOCTOU race in Windows Defender remediation to plant code as System32wermgr.exe and execute it as SYSTEM through Windows Error Reporting. The article also outlines related detections in Sysmon and Guardsix SIEM, including staging in %TEMP%, named pipe activity on RoguePlanet, and suspicious wermgr.exe-to-conhost.exe process chains. #RoguePlanet #ChaoticEclipse #NightmareEclipse #WindowsDefender #wermgr.exe #WindowsErrorReporting

Keypoints

  • RoguePlanet is a Windows local privilege escalation exploit that elevates a standard user to NT AUTHORITYSYSTEM.
  • The exploit abuses a TOCTOU race in Windows Defender’s threat-remediation flow.
  • NTFS junctions and opportunistic locks are used to make the race reliable and redirect privileged file writes.
  • The attack stages an embedded ISO and an EICAR-labeled bait file named wermgr.exe under %TEMP%.
  • Defender is triggered through undocumented MpClient.dll RPC functions to scan and clean the malicious file.
  • The planted payload is later executed as SYSTEM through the Windows Error Reporting QueueReporting scheduled task.
  • Detection guidance focuses on Sysmon file creation, named pipe activity, and suspicious SYSTEM execution chains involving wermgr.exe and conhost.exe.

MITRE Techniques

  • [T1068 ] Exploitation for Privilege Escalation – RoguePlanet gains SYSTEM privileges by abusing a Defender remediation TOCTOU flaw (‘Windows local privilege escalation exploit (standard user → NT AUTHORITYSYSTEM)’).
  • [T1211 ] Exploitation for Defense Evasion – The exploit weaponizes Windows Defender’s remediation path to turn a security feature into the privileged write primitive (‘weaponizes Windows Defender’s own threat-remediation path’).
  • [T1574.001 ] Hijack Execution Flow: DLL Search Order Hijacking – The malware loads MpClient.dll and uses Defender RPC functions to drive privileged remediation (‘RoguePlanet loads MpClient.dll and resolves Defender’s undocumented RPC client functions’).
  • [T1021.004 ] Remote Services: Windows Remote Management – Not mentioned.
  • [T1105 ] Ingress Tool Transfer – The embedded ISO and payload are written out and mounted from the exploit package for local staging (‘It writes an ISO image the exploit carries embedded in itself out to %TEMP%RP_’).
  • [T1564.001 ] Hide Artifacts: Hidden Files and Directories – The payload is staged in temporary directories and disguised as benign content (‘stages all of its components under the user’s %TEMP% directory’).
  • [T1036 ] Masquerading – The bait file is named wermgr.exe to resemble the legitimate Windows Error Reporting binary (‘The file is named after the real System32wermgr.exe’).
  • [T1216 ] System Script Proxy Execution – The built-in QueueReporting scheduled task is used to launch the planted wermgr.exe as SYSTEM (‘runs the built-in scheduled task MicrosoftWindowsWindows Error ReportingQueueReporting, which executes wermgr.exe as NT AUTHORITYSYSTEM’).
  • [T1543.003 ] Create or Modify System Process: Windows Service – Not mentioned.
  • [T1055 ] Process Injection – Not mentioned.
  • [T1557.001 ] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning – Not mentioned.
  • [T1090.001 ] Proxy: Internal Proxy – Not mentioned.
  • [T1106 ] Native API – The exploit directly calls Windows APIs such as OpenVirtualDisk, AttachVirtualDisk, and file-system control functions (‘OpenVirtualDisk / AttachVirtualDisk mounts it read-only’).
  • [T1027 ] Obfuscated Files or Information – The malware uses EICAR as a harmless but AV-detectable trigger and hides logic in staged artifacts (‘writes a file named wermgr.exe whose contents are the EICAR test string’).
  • [T1070.004 ] File Deletion – The exploit deletes the reparse point after the swap (‘deletes the reparse point on the System32 junction’).
  • [T1112 ] Modify Registry – Not mentioned.
  • [T1047 ] Windows Management Instrumentation – Not mentioned.
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – The Windows Error Reporting QueueReporting task is used to run the planted binary (‘runs the built-in scheduled task MicrosoftWindowsWindows Error ReportingQueueReporting’).
  • [T1104 ] Multi-Stage Channels – The named pipe is used as a callback channel between the SYSTEM payload and the attacker-controlled process (‘creates a named pipe, \.pipeRoguePlanet’).
  • [T1021.003 ] Remote Services: Distributed Component Object Model – Not mentioned.

Indicators of Compromise

  • [File names ] Staged and planted executable names – wermgr.exe, conhost.exe
  • [Named pipe ] SYSTEM callback channel and detection target – .pipeRoguePlanet
  • [File paths ] Temp staging and Windows target locations – C:UsersAppDataLocalTempRP_, System32wermgr.exe
  • [Alternate data stream ] Bait file stream used during staging – :WDFOO
  • [Scheduled task path ] WER execution path used to launch payload – MicrosoftWindowsWindows Error ReportingQueueReporting
  • [File content marker ] Antivirus trigger used as bait – EICAR test string
  • [System objects ] Shadow-copy enumeration targets – HarddiskVolumeShadowCopy*
  • [Volume path ] Redirected privileged target during junction swap – C:Windows

Read more: https://guardsix.com/blog/one-more-race-to-system-rogueplanet-extends-the-bluehammer-redsun-plasma-lineage

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint