BlueHammer — unpatched Windows zero-day grants SYSTEM via Defender updates
A published zero-day in Windows Defender signature updates gives attackers SYSTEM privileges. No patch exists. Here is how to protect your endpoints.
Microsoft Defender has a vulnerability with no patch — and the exploit code is sitting on GitHub right now.
On April 3, a security researcher going by Nightmare-Eclipse published a working proof-of-concept for a local privilege escalation in Windows. The vulnerability, dubbed BlueHammer, exploits a TOCTOU race condition (time-of-check to time-of-use) in Defender's signature update mechanism.
What happens technically?
BlueHammer chains several legitimate Windows features: Volume Shadow Copy Service, Windows Cloud Files API, and opportunistic locks. Together, they give a low-privileged user access to the SAM database. From there, the attacker dumps NTLM hashes and escalates to SYSTEM via pass-the-hash.
In plain terms: a regular user on a Windows machine can take full control of the system.
Why this matters for SMBs on M365
Every company running Windows endpoints managed via Intune with Microsoft Defender is potentially vulnerable. The exploit requires local access — but in practice, a phishing email or a compromised user account is enough to get that initial foothold.
Shared workstations and environments where users have local admin rights are at higher risk.
What you should do now
There is no patch yet. Microsoft has not assigned a CVE. But you can reduce the risk:
- Enable Defender tamper protection — prevents unauthorized changes to Defender settings
- Turn on Attack Surface Reduction (ASR) rules in Intune — limits what processes can do
- Deploy LAPS (Local Administrator Password Solution) — if NTLM hashes leak, the damage is contained
- Restrict local admin rights via Intune endpoint privilege management
- Monitor MSRC for an emergency patch — it may arrive with Patch Tuesday on April 14
How we can help
We offer a quick review of your endpoint configuration: Defender tamper protection, ASR rules, LAPS status, and local admin rights. It takes 1-2 hours for a Quick Check, or half a day for a full endpoint hardening assessment.
Want us to check your environment? Get in touch.