CVE-2026-33825, tracked publicly as BlueHammer, is a race condition in Microsoft Defender’s file remediation logic that allows an unprivileged local user to overwrite arbitrary files and achieve SYSTEM-level code execution. The vulnerability was initially disclosed in April 2026 with proof-of-concept code published by researcher “Nightmare Eclipse.” CISA added it to the KEV catalog on April 22, and subsequently updated the entry to confirm exploitation in active ransomware campaigns.
The exploitation context is significant: ransomware operators who have established a low-privilege foothold through phishing or initial access broker purchases can chain BlueHammer into the pre-ransomware privilege escalation phase, achieving SYSTEM before deploying encryption payloads. At SYSTEM, credential harvesting from LSASS, disabling security tools, and deploying ransomware across domain-joined machines becomes trivial.
This guide covers the technical mechanism, the detection surface, Sigma rules deployable to major SIEM platforms, and KQL for Microsoft Sentinel and Defender XDR.
How BlueHammer Works
Microsoft Defender (now Microsoft Defender Antivirus) performs remediation operations — quarantining, deleting, and modifying files identified as malicious — as the SYSTEM account. When Defender’s file handling code operates on a file path, there is a brief window between the security check (validating which file will be operated on) and the actual operation (overwriting or deleting it).
BlueHammer exploits this time-of-check to time-of-use (TOCTOU) window. An attacker creates a symbolic link or directory junction that replaces the target path between the check and the operation. Defender, operating as SYSTEM, then performs its file action against the attacker’s redirected target — overwriting an arbitrary file with content the attacker controls. By overwriting a high-privilege target (a service binary, a DLL loaded by SYSTEM processes, or a Scheduled Task definition), the attacker achieves SYSTEM-level code execution.
The precondition is that Defender must be scanning a file the attacker controls, which is trivially achieved by dropping any file with Defender-triggering content (a test EICAR string, a modified PE, or a file with suspicious entropy) in a directory the unprivileged user owns.
The full exploitation chain runs in three stages:
- Drop a trigger file in a user-writable directory to initiate a Defender scan
- Race the symbolic link/junction into place during Defender’s remediation window
- Await Defender’s SYSTEM-level write to the attacker-controlled target path
Huntress documented real-world intrusion artefacts in their post on Nightmare Eclipse tooling, confirming the race window is consistently exploitable with publicly available tooling.
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Exploitation for Privilege Escalation | T1068 | Race condition in Defender service to achieve SYSTEM |
| Abuse Elevation Control Mechanism | T1548 | TOCTOU in privileged service to overwrite protected files |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Post-SYSTEM: disabling AV/EDR before ransomware deployment |
| OS Credential Dumping: LSASS | T1003.001 | Post-SYSTEM: credential harvesting enabling lateral movement |
Detection Strategy
BlueHammer’s exploitation produces several observable behaviours that span three detection layers: file system activity, process behaviour, and security tool telemetry.
Layer 1: Symbolic Link / Junction Creation Before Defender Remediation
The core exploit mechanism requires creating a directory junction or NTFS symbolic link that redirects Defender’s remediation target. CreateSymbolicLink (for symbolic links) and CreateJunctionPoint (for directory junctions) are user-mode operations, but both create reparse points that are logged by ETW providers and EDR process and file system hooks.
Sigma Rule: Junction Creation in User-Writable Directories Immediately Preceding Defender Events
title: Symbolic Link or Junction Created Prior to MpCmdRun File Operation
id: a1b2c3d4-5678-9012-abcd-ef0123456789
status: experimental
description: >
Detects NTFS directory junction or symbolic link creation in user-writable
paths shortly before Microsoft Defender performs a file remediation operation.
This pattern is consistent with CVE-2026-33825 (BlueHammer) exploitation.
references:
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-33825
- https://www.huntress.com/blog/nightmare-eclipse-intrusion
author: SOC Analyst Hub
date: 2026-07-08
tags:
- attack.privilege_escalation
- attack.t1068
- cve.2026-33825
logsource:
category: file_event
product: windows
detection:
selection_reparse:
TargetFilename|contains:
- '\AppData\Local\'
- '\Temp\'
- '\Users\Public\'
TargetObject|contains: '!<symlink>' # Sysmon file reparse point tag
timeframe: 5s
condition: selection_reparse
falsepositives:
- Legitimate software installation using directory junctions (e.g. OneDrive, Office)
- Developer tools creating symbolic links for build environments
level: medium
Correlate this with subsequent MpCmdRun.exe or MsMpEng.exe file write events to the same base path for higher confidence.
Layer 2: Anomalous File Write by Defender Service
The observable impact of successful exploitation is Defender writing to an unusual target path — a system binary, a service DLL, or a protected directory — rather than quarantining within its expected paths under C:\ProgramData\Microsoft\Windows Defender\Quarantine\.
Sigma Rule: Microsoft Defender File Write Outside Quarantine Directory
title: Microsoft Defender Process Writes File Outside Expected Quarantine Path
id: b2c3d4e5-6789-0123-bcde-f0123456789a
status: experimental
description: >
Detects MsMpEng.exe or MpCmdRun.exe writing files to paths outside the
standard Defender quarantine directory. Indicates possible BlueHammer
(CVE-2026-33825) exploitation where the race condition has redirected
Defender's write operation to an attacker-controlled target.
references:
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-33825
author: SOC Analyst Hub
date: 2026-07-08
tags:
- attack.privilege_escalation
- attack.t1068
- cve.2026-33825
logsource:
category: file_event
product: windows
detection:
selection_process:
Image|endswith:
- '\MsMpEng.exe'
- '\MpCmdRun.exe'
filter_quarantine:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Quarantine\'
- 'C:\ProgramData\Microsoft\Windows Defender\Scans\'
- 'C:\ProgramData\Microsoft\Windows Defender Antivirus\'
condition: selection_process and not filter_quarantine
falsepositives:
- Defender update processes writing to update staging directories
- Administrative tools triggering Defender scans with custom output paths
level: high
Layer 3: Post-Exploitation Indicators — SYSTEM Shell from Non-Interactive Source
Successful exploitation produces a SYSTEM-level process spawned outside the normal Windows Session 0 service execution tree. In real-world ransomware chain usage documented by Huntress, the post-exploitation phase typically involves a SYSTEM-level cmd.exe or powershell.exe that is a descendant of an unprivileged user-mode process rather than the Windows service host.
KQL: Microsoft Sentinel — SYSTEM Process with Suspicious Parent Chain
// Detect SYSTEM-privileged process spawned from a non-system parent
// Consistent with BlueHammer post-exploitation
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where AccountName == "SYSTEM" or AccountSid == "S-1-5-18"
| where InitiatingProcessAccountName != "SYSTEM"
and InitiatingProcessAccountName != "NT AUTHORITY\\SYSTEM"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where InitiatingProcessFileName !in~ (
"svchost.exe", "services.exe", "wininit.exe", "winlogon.exe",
"taskhostw.exe", "userinit.exe", "csrss.exe"
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc
KQL: Microsoft Defender XDR — MsMpEng Writing Service Binaries
// Detect Defender process writing to service binary paths
// High-fidelity indicator of successful BlueHammer exploitation
DeviceFileEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName in~ ("MsMpEng.exe", "MpCmdRun.exe")
| where FolderPath startswith @"C:\Windows\System32\"
or FolderPath startswith @"C:\Windows\SysWOW64\"
or FolderPath startswith @"C:\Program Files\"
| where ActionType == "FileCreated" or ActionType == "FileModified"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
FileName, FolderPath, ActionType
| order by TimeGenerated desc
Layer 4: Ransomware Pre-Deployment Indicators
In the ransomware exploitation chain, SYSTEM privilege from BlueHammer is followed by rapid lateral movement and deployment. Correlation rules targeting the sequence — BlueHammer indicators followed within 10 minutes by shadow copy deletion or volume shadow service queries — provide high-confidence ransomware pre-deployment detection.
KQL: BlueHammer → VSS Deletion Correlation (Sentinel)
let bluehammer = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName in~ ("MsMpEng.exe", "MpCmdRun.exe")
| where FolderPath !startswith @"C:\ProgramData\Microsoft\Windows Defender\"
| project DeviceName, BlueHammerTime = TimeGenerated;
let vss_del = DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where ProcessCommandLine has_any ("vssadmin delete", "wmic shadowcopy delete", "bcdedit /set recoveryenabled no")
| project DeviceName, VSSTime = TimeGenerated, ProcessCommandLine;
bluehammer
| join kind=inner (vss_del) on DeviceName
| where VSSTime > BlueHammerTime and VSSTime < BlueHammerTime + 10m
| project BlueHammerTime, VSSTime, DeviceName, ProcessCommandLine
Patching and Remediation
The patch for CVE-2026-33825 was included in Microsoft’s April 2026 Patch Tuesday (released April 8, 2026). Any system running Windows Defender / Microsoft Defender Antivirus that has not received the April 2026 cumulative update is vulnerable.
Immediate actions:
- Apply April 2026 Patch Tuesday cumulative updates to all Windows systems.
- Verify Defender signature and engine version is current post-patching (the component patch is distinct from definition updates).
- Review Microsoft Security Update Guide entry CVE-2026-33825 for platform-specific applicability.
- Enable Defender tamper protection where not already active — this limits an attacker’s ability to disable Defender post-SYSTEM, but does not mitigate the LPE itself.
If patching is delayed: restrict access to \Device\Harddisk symbolic link creation via AppLocker or WDAC policies that block non-administrative reparse point creation. This reduces but does not eliminate exploitation risk.
Threat Intelligence Notes
CISA’s KEV update confirming ransomware use of BlueHammer does not attribute the exploitation to a specific group. Huntress’s Nightmare Eclipse intrusion report documented one real-world case. Given that BlueHammer PoC code is publicly available and the CVSS score is 7.8 (High), defenders should assume broad commodity adoption by ransomware affiliates accessing initial access broker-sold footholds.
Security teams should prioritise patching on systems with:
- Internet-facing services or remote desktop exposure
- User populations accessing the web (phishing initial access risk)
- High-value data or domain controller roles (privilege escalation impact amplification)