CVE-2026-33825 (BlueHammer): Windows Defender TOCTOU Zero-Day & How to Fix It

Executive Summary

CVE-2026-33825, dubbed BlueHammer, is a local privilege escalation (LPE) zero-day in Microsoft Defender's threat remediation engine, publicly disclosed on April 7, 2026 alongside a working proof-of-concept exploit leaked by a disgruntled security researcher. By exploiting a time-of-check to time-of-use (TOCTOU) race condition in Defender's malware cleanup routine, a low-privileged local attacker can redirect a privileged file write to the SAM database — dumping NTLM password hashes and escalating to NT AUTHORITY\SYSTEM. A patch was delivered on April 14, 2026 as part of Microsoft's Patch Tuesday (Defender Antimalware Platform update 4.18.26030.3011), but because PoC code is already public and modified variants can evade signature detection, organizations should treat this as an urgent remediation priority.

---

1. What Is This Vulnerability?

BlueHammer lives in the file remediation logic that Microsoft Defender invokes when it detects and cleans up a malicious file. When Defender's real-time protection engine quarantines a threat, it performs a series of privileged filesystem operations — moving, overwriting, or deleting flagged files — running under NT AUTHORITY\SYSTEM. The flaw is that Defender validates the target file path at the time of check (when it first identifies the file) but doesn't re-validate it at the time of use (when it performs the privileged write). That window is exploitable.

Attack Vector

The exploit chain unfolds in four steps:

1. Trigger a Defender detection. The attacker drops a file that matches a Defender signature — a dummy EICAR string is enough — to make Defender initiate its remediation routine.

2. Freeze the privileged thread with an oplock. An opportunistic lock (oplock) is placed on the target file. This pauses Defender's privileged file operation at the exact moment before the write, giving the attacker a controlled race window.

3. Swap the path with an NTFS junction. While the thread is suspended, the attacker deletes the original file location and replaces it with an NTFS junction point redirecting from the attacker-controlled temporary directory to C:\Windows\System32.

4. Layer an Object Manager symbolic link. Before releasing the oplock, the junction is replaced with an Object Manager symlink pointing to C:\Windows\System32\config\SAM — the Security Account Manager database that stores all local NTLM password hashes. Defender's privileged thread resumes and writes attacker-controlled data to the SAM, or the attacker reads back SAM contents with SYSTEM-level permissions.

The result: a low-privileged, local user gains read/write access to the SAM database, can extract NTLM hashes for all local accounts, and can escalate to full NT AUTHORITY\SYSTEM via pass-the-hash — all on a fully patched Windows system prior to the April 14 update.

Attack Vector Simplified (Pseudocode)

# Attacker-side (running as low-privileged user)

1. drop_eicar_trigger("C:\Temp\attacker_dir\evil.exe")
2. place_oplock("C:\Temp\attacker_dir\evil.exe")        # pauses Defender write
3. delete("C:\Temp\attacker_dir\")
4. create_ntfs_junction("C:\Temp\attacker_dir" -> "C:\Windows\System32")
5. replace_junction_with_symlink("C:\Temp\attacker_dir\evil.exe" -> 
                                  "\Device\HarddiskVolume3\Windows\System32\config\SAM")
6. release_oplock()                                      # Defender resumes, writes to SAM
7. dump_hashes("C:\Windows\System32\config\SAM")
8. pass_the_hash(admin_ntlm_hash) -> NT AUTHORITY\SYSTEM

Real-World Impact

Within days of the PoC release on April 7, threat intelligence firms observed the exploit being incorporated into commodity post-exploitation toolkits. Red team operators and penetration testers confirmed reliable SYSTEM escalation on Windows 10 22H2 and Windows 11 24H2. Modified exploit variants designed to bypass Defender's own signature detection for the PoC were circulating on underground forums within 48 hours of the initial release.

---

2. Who Is Affected?

Component	Affected Versions
Microsoft Defender Antimalware Platform	< 4.18.26030.3011
Windows 10	All editions (Home, Pro, Enterprise, Education)
Windows 11	All editions (Home, Pro, Enterprise, Education)
Windows Server	All editions with Defender enabled

Preconditions for exploitation:

• Attacker must have local code execution as a low-privileged user (standard account, no admin rights required)
• Microsoft Defender real-time protection must be enabled (the default state)
• No network access required — this is a fully local attack

Not affected:

• Systems using third-party AV in place of Defender's real-time protection
• Systems where Defender has already been updated to platform version 4.18.26030.3011 or later

---

3. How to Detect It (Testing)

Manual Testing Steps

Step 1: Verify the Defender platform version on the target system

Open PowerShell as an administrator and run:

Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion

If AMProductVersion is below 4.18.26030.3011, the system is vulnerable.

Step 2: Check for suspicious VSS / oplock activity

Review the Windows Event Log for unusual Volume Shadow Copy Service events that may indicate exploitation in progress:

Get-WinEvent -LogName System | Where-Object { $_.Id -in (7036, 8193, 8194) -and $_.Message -match "VSS" }

Unexpected VSS snapshot creation triggered by Defender activity, outside scheduled backup windows, is a strong indicator.

Step 3: Look for junction and symlink anomalies in Temp directories

Get-ChildItem C:\Users\*\AppData\Local\Temp -Recurse -Attributes ReparsePoint | 
  Select-Object FullName, CreationTime, LastWriteTime

NTFS junctions or symlinks created in Temp directories during a Defender scan event are suspicious.

Step 4: Monitor for unexpected SAM database access

Get-WinEvent -LogName Security | Where-Object { 
  $_.Id -eq 4663 -and $_.Message -match "SAM" 
} | Select-Object TimeCreated, Message | Format-List

Event ID 4663 (Object Access) against \REGISTRY\MACHINE\SAM by a process that is not a known backup or admin tool is a red flag.

Automated Scanning

Tenable / Nessus

• Plugin ID: Search for CVE-2026-33825 in the Nessus plugin feed
• Scan Type: Credentialed local scan
• Expected finding: AMProductVersion below threshold flagged as High

CrowdStrike Falcon

event_simpleName=ProcessRollup2 
  ImageFileName="*MsMpEng.exe" 
  TargetFileName="*config\SAM*"

Run this in the Falcon console to hunt for Defender engine access to the SAM path.

Microsoft Defender for Endpoint (MDE) KQL Hunt

DeviceEvents
| where ActionType == "AntivirusDetection"
| join kind=inner (
    DeviceFileEvents
    | where FolderPath has "config\\SAM"
    | where InitiatingProcessFileName == "MsMpEng.exe"
) on DeviceId
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName

Code Review Checklist

• Confirm AMProductVersion ≥ 4.18.26030.3011 on all managed endpoints
• Audit Group Policy for Create symbolic links privilege assignment — it should be restricted to Administrators only
• Verify Windows Update / WSUS / Intune policies are delivering Defender platform updates, not just signature updates
• Review endpoint inventory for any systems with Defender real-time protection disabled

---

4. How to Fix It (Mitigation)

Step-by-Step Remediation

1. Apply the Defender Platform Update (Primary Fix)

The patch is delivered as a Defender Antimalware Platform update — separate from the monthly Windows cumulative update — and should auto-apply on most managed systems.

Verify and force the update via PowerShell:

# Force Defender platform and signature update
Update-MpSignature -UpdateSource MicrosoftUpdateServer
# Confirm version after update
Get-MpComputerStatus | Select-Object AMProductVersion
# Target: 4.18.26030.3011 or higher

2. Apply the April 2026 Cumulative Update via Windows Update / WSUS

Even though the Defender platform update is delivered independently, ensure all April 2026 Patch Tuesday patches are applied:

# Install all pending updates (requires PSWindowsUpdate module)
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -Install -AutoReboot

3. Restrict Symbolic Link Creation via Group Policy

Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Create symbolic links

Remove all standard user accounts and service accounts that do not require this privilege. Only Administrators and NT VIRTUAL MACHINE\Virtual Machines (on Hyper-V hosts) should remain.

4. Enable Controlled Folder Access

As a defense-in-depth measure, enable Controlled Folder Access to restrict unauthorized writes to protected directories including System32:

Set-MpPreference -EnableControlledFolderAccess Enabled

5. Roll Out via Intune / SCCM (Enterprise)

For large-scale deployments:

# Intune PowerShell remediation script (deploy as device remediation)
$version = (Get-MpComputerStatus).AMProductVersion
$target  = [version]"4.18.26030.3011"
if ([version]$version -lt $target) {
    Update-MpSignature -UpdateSource MicrosoftUpdateServer
    exit 1  # Signal non-compliant for Intune reporting
} else {
    exit 0  # Compliant
}

Code Fix Example

Before (vulnerable behavior — Defender validates path at T1, writes at T2):

T1: Defender checks path → "C:\Temp\attacker_dir\evil.exe" (benign location)
    [WINDOW: attacker swaps junction here]
T2: Defender writes to  → "C:\Windows\System32\config\SAM" (SAM database!)

After (patched behavior — Defender re-validates path immediately before write):

T1: Defender checks path → "C:\Temp\attacker_dir\evil.exe"
    [Window exists but path is re-evaluated at T2]
T2: Defender re-validates path → detects reparse point, aborts operation, logs warning

Configuration Hardening

# Restrict symbolic link creation to Administrators only (via secedit)
secedit /export /cfg C:\temp\secpol.cfg
# Edit SeCreateSymbolicLinkPrivilege in secpol.cfg to include only *S-1-5-32-544
secedit /configure /db secedit.sdb /cfg C:\temp\secpol.cfg /areas USER_RIGHTS

# Enable Defender tamper protection (prevents attackers from disabling Defender)
Set-MpPreference -DisableTamperProtection $false

# Enable cloud-delivered protection for faster threat intel
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

---

5. How to Test the Fix (Validation)

Regression Test Scenarios

• Scenario A: Confirm Defender platform version is at or above 4.18.26030.3011 on all endpoints in scope.
• Scenario B: Attempt the TOCTOU race condition using the public PoC code — the attack should now fail with Defender aborting the file operation.
• Scenario C: Verify Defender's malware remediation functionality is unaffected — a legitimate EICAR test file should still be detected and quarantined normally.

Security Test Cases

Test Case 1: Verify the patch is applied

• Precondition: April 2026 Defender platform update deployed
• Steps: Run Get-MpComputerStatus | Select-Object AMProductVersion
• Expected Result: Version ≥ 4.18.26030.3011

Test Case 2: Confirm TOCTOU exploit no longer succeeds

• Precondition: Patched system in an isolated test environment
• Steps: Execute the public BlueHammer PoC (from a low-privileged account)
• Expected Result: Defender detects and aborts the oplock-junction maneuver; no SAM access occurs; Event ID 1117 logged (Defender took action on malware)

Test Case 3: Confirm normal Defender functionality

• Precondition: Patched system
• Steps: Drop an EICAR test file in a user-writable directory
• Expected Result: Defender detects and quarantines the file within seconds; no impact on legitimate operations

Automated Tests

# Automated validation script — run post-patch on a sample of endpoints

$results = @()
$endpoints = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name

foreach ($ep in $endpoints) {
    $version = Invoke-Command -ComputerName $ep -ScriptBlock {
        (Get-MpComputerStatus).AMProductVersion
    } -ErrorAction SilentlyContinue

    $compliant = [version]$version -ge [version]"4.18.26030.3011"
    $results += [PSCustomObject]@{
        Endpoint  = $ep
        Version   = $version
        Compliant = $compliant
    }
}

$results | Export-Csv "C:\Reports\BlueHammer-Patch-Validation.csv" -NoTypeInformation
$results | Where-Object { -not $_.Compliant } | Format-Table -AutoSize

---

6. Prevention & Hardening

Best Practices

• Enforce least privilege for local accounts. BlueHammer requires local code execution — reducing the blast radius of initial access (e.g., phishing, malware) limits who can trigger the exploit. Standard user accounts should never have SeCreateSymbolicLinkPrivilege.

• Automate Defender platform update delivery. Signature updates and platform updates are separate channels. Ensure your WSUS, Intune, or SCCM policies explicitly deliver Defender platform updates, not only antivirus definitions — many organizations update signatures daily but miss platform-level patches.

• Audit reparse point creation on endpoints. NTFS junctions and symlinks in user-writable directories are a common primitive in Windows LPE exploits. Deploy a Sysmon configuration that captures reparse point creation events:

  <RuleGroup name="JunctionMonitor" groupRelation="or">
    <FileCreate onmatch="include">
      <TargetFilename condition="contains">junction</TargetFilename>
    </FileCreate>
    <ReparsePoint onmatch="include">
      <TargetFilename condition="contains">Temp</TargetFilename>
    </ReparsePoint>
  </RuleGroup>
  

• Enable Microsoft Defender's tamper protection. Tamper protection prevents local processes from disabling Defender's real-time protection, closing off the most common attempt attackers make after gaining initial foothold.

• Run a quarterly LPE hunting exercise. Local privilege escalation flaws are difficult to eliminate entirely. Establish a routine of testing endpoints against current LPE PoC catalogues (e.g., itm4n/PrivescCheck) to catch regressions before attackers do.

Monitoring & Detection

Signal	Event / Source	What to Alert On
SAM database access by Defender engine	Security Event ID 4663	MsMpEng.exe accessing config\SAM outside of a known backup window
Unexpected VSS snapshot creation	System Event IDs 8193/8194	VSS activity initiated by Defender processes
Reparse point creation in Temp	Sysmon Event ID 11	ReparsePoint tag in user %TEMP% directories
Privilege escalation to SYSTEM	Security Event ID 4672	NT AUTHORITY\SYSTEM logon from a non-service process during business hours
Defender platform version drift	MDE / Intune compliance	Any device reporting AMProductVersion < 4.18.26030.3011

---

References

• CVE Entry: CVE-2026-33825 — NVD
• Original Disclosure & PoC: BleepingComputer — Disgruntled researcher leaks BlueHammer Windows zero-day exploit
• Technical Breakdown: Picus Security — BlueHammer & RedSun: Windows Defender CVE-2026-33825 Explained
• Patch Details: Field Effect — Microsoft April 2026 Patch Tuesday fixes two zero days, including BlueHammer
• Threat Intelligence: CYDERES — BlueHammer: Inside the Windows Zero-Day
• CSA Research: Cloud Security Alliance — Defender Triple Zero-Day: BlueHammer, RedSun, and UnDefend
• CrowdStrike Analysis: April 2026 Patch Tuesday Analysis
• Help Net Security: BlueHammer: Windows zero-day exploit leaked