Throughout April, our team closely monitored emerging Windows privilege escalation threats, with particular focus on newly disclosed Microsoft Defender related weaknesses that lower the barrier to SYSTEM-level compromise. This month’s insights examine BlueHammer, a publicly released proof-of-concept exploit demonstrating how legitimate Windows and Defender mechanisms can be abused to escalate privileges from a standard user context.
In early April 2026, a researcher operating under the alias ‘Chaotic Eclipse’ / ‘Nightmare-Eclipse’ released exploit code for the unpatched Windows zero-day ‘BlueHammer’. The vulnerability abuses the Microsoft Defender Antivirus update mechanism, chaining Volume Shadow Copy Service (VSS), Cloud Files API, opportunistic locking, and path confusion to achieve SYSTEM-level access.
At the time of writing, no CVE has been assigned, and no official patch or mitigation has been released. The exploit is publicly available and has been independently validated, increasing the likelihood of real-world weaponisation. While local access is required, successful exploitation enables credential extraction from the SAM database and full administrative compromise.
Community Detection Opportunities
MDE_DeviceFileEvents_BlueHammerPOC_SuspiciousVolumeShadowCopyAccess
DeviceFileEvents
| where FolderPath matches regex @"HarddiskVolumeShadowCopy\d+"
| where not(InitiatingProcessAccountName =~ "system")
| where not(FileName has_any ("AM_Delta"))
| where not(InitiatingProcessFileName has_any ("lsass.exe", "vssvc.exe", "SearchIndexer.exe", "msmpeng.exe", "vmms.exe"))
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, InitiatingProcessCommandLine
RedSun is a proof-of-concept privilege escalation vulnerability affecting Microsoft Defender, allowing SYSTEM-level access on fully patched Windows systems. The exploit abuses Defender’s handling of malicious cloud-tagged files, enabling file overwrite operations within critical system directories such as C:\Windows\System32.
The vulnerability has been demonstrated across Windows 10, Windows 11, and Windows Server environments. It requires no administrator privileges, UAC bypass, or kernel exploit, significantly lowering the barrier to exploitation following initial compromise.
Community Detection Opportunities
MDE_DeviceEvents_RedSunDefenderExploit_NamedPipeEvent
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend sus_NamedPipe = tostring(parse_json(AdditionalFields).PipeName)
| where (sus_NamedPipe has_any ("RedSun", "Tiering") or sus_NamedPipe contains "redsun")
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentFileName, sus_NamedPipe
Bridewell CSIRT Detection Rules & Analytics
The following detection content was generated through our managed threat intelligence, threat hunting, and detection and response (MDR) services. The content automatically protects our customers from known and emerging threats.
| Detection Analytic Concept | Category |
|---|
| MDE_DeviceProcessEvents_BlueHammerPOC_ExploitationAttempts | Privilege Escalation |
| MDE_DeviceProcessEvents_BlueHammerPOC_DefenderProcessShellSpawn | Privilege Escalation |
| MDE_DeviceImageLoadEvents_BlueHammerPOC_CldApiAbuse | Defense Evasion |
| MDE_DeviceProcessEvents_BlueHammerPOC_DefenderProcessAnomalies | Defense Evasion |
| MDE_DeviceEvents_RedSunDefenderExploit_AntiMalwareAction | Defense Evasion |
| MDE_DeviceFileEvents_RedSunDefenderExploit_TieringEngineServiceOverwrite | Defense Evasion |
| MDE_DeviceProcessEvents_RedSunDefenderExploit_TieringEngineServiceExecution | Privilege Escalation |
| MDE_DeviceProcessEvents_RedSunDefenderExploit_TieringEngineServiceExecution2 | Persistence |
