On 26 Mar 2026 a researcher released BlueHammer, a local privilege-escalation PoC abusing a TOCTOU race in Microsoft Defender’s update handling (linked to CVE-2026-33825), and subsequent PoCs RedSun and UnDefend demonstrated additional escalation and Defender-update disruption techniques. Huntress Labs warned actors are attempting to operationalize these tools, and Microsoft patched the core BlueHammer flaw in the April 14, 2026 Patch Tuesday updates. #BlueHammer #RedSun
Keypoints
- BlueHammer is a PoC exploit that uses a TOCTOU race against Microsoft Defender update processing to obtain a handle to a protected SAM hive from a Volume Shadow Copy and extract NT hashes for credential-focused post-exploitation.
- RedSun is a separate PoC that leverages Defender’s handling of cloud-tagged files, mount-point reparse redirection, and path manipulation to overwrite C:WindowsSystem32TieringEngineService.exe and achieve SYSTEM-level execution.
- UnDefend is a tool designed to lock or block Defender signature and platform updates, degrading protection and potentially preventing Defender from learning about new threats.
- BlueHammer is linked to CVE-2026-33825 (CVSS 7.8, High) and Microsoft addressed that vulnerability in the April 14, 2026 Patch Tuesday; RedSun and UnDefend are separate techniques not confirmed with CVEs in the article.
- Detection opportunities include monitoring for suspicious temp directories and EICAR bait files, unexpected replacement or execution of TieringEngineService.exe in System32, temporary service creation from user-writable paths, and unexpected local password resets.
- Recommended defenses: monitor Defender health and signature age, apply application control and least-privilege practices, investigate unusual persistence (services/startup), isolate affected hosts, rotate credentials, and maintain tested incident response and backups.
MITRE Techniques
- [T1068 ] Exploitation for Privilege Escalation – BlueHammer exploits a TOCTOU-style race condition in Defender’s update handling to gain access to a protected file. [‘relies on a TOCTOU-style race condition to trick Defender into giving access to a protected file from a Volume Shadow Copy’]
- [T1003.002 ] OS Credential Dumping: Security Account Manager – The exploit reads the SAM, rebuilds the LSA boot key, and decrypts local NT hashes for credential access. [‘reads the SAM data, rebuilds the LSA boot key from registry values, decrypts local users’ NT hashes’]
- [T1543.003 ] Create or Modify System Process: Windows Service – BlueHammer’s post-exploitation flow can create a short-lived Windows service to escalate to SYSTEM. [‘creating a short-lived service to reach SYSTEM execution’]
- [T1574 ] Hijack Execution Flow – RedSun uses cloud-tagged bait files, mount-point reparse path redirection, and file state manipulation to cause Defender to overwrite a system binary in C:WindowsSystem32 with attacker-controlled code. [’causes Defender’s privileged file handling to land in C:WindowsSystem32 … C:WindowsSystem32TieringEngineService.exe is replaced with attacker-controlled code’]
- [T1218 ] Signed Binary Proxy Execution – The PoC triggers execution of the replaced TieringEngineService.exe via a tiering-engine COM path to achieve SYSTEM-level execution. [‘copies its own executable into that path and triggers execution through the tiering engine COM path, leading to elevated execution’]
- [T1562 ] Impair Defenses – UnDefend locks Defender signature/update files and interferes with normal update and replacement behavior to degrade protections. [‘monitors Defender-related update locations and locks signature or related update files as they change, interfering with normal update and replacement behavior’]
Indicators of Compromise
- [File Name ] PoC and bait files – TieringEngineService.exe (bait/targeted system binary), funnyapp.exe (BlueHammer PoC binary)
- [File Path / Pattern ] Temp working directories and redirect targets – %TEMP%RS-{GUID} (temporary staging directory pattern), C:WindowsSystem32TieringEngineService.exe (overwritten system binary)
- [Detection Signature / Label ] Defender detection label used in analysis – “Virus:DOS/EICAR_Test_File” (EICAR-like bait used to force Defender action)
- [CVE / Vulnerability ] Public vulnerability reference – CVE-2026-33825 (BlueHammer linked to this elevation-of-privilege vulnerability)
- [Software Version ] Affected Defender platform versions – Microsoft Defender Antimalware Platform <= 4.18.26020.6 (vulnerable), 4.18.26030.3011 (patched)