RoguePlanet Zero-Day: Microsoft Defender Race Condition Grants SYSTEM Privileges on Fully Patched Windows

A security researcher publicly released a working zero-day exploit against Microsoft Defender on June 9, 2026, just hours after Microsoft's June 2026 Patch Tuesday. The vulnerability, dubbed RoguePlanet, exploits a race condition in Defender's real-time scanning engine to spawn a SYSTEM-level command prompt on fully patched Windows 10 and Windows 11 systems [1]. Microsoft has not yet shipped a fix and has not publicly commented on RoguePlanet specifically, though the company previously submitted takedown requests for the researcher's repositories [1]. ThreatLocker independently reproduced the exploit and confirmed it works against systems with the latest cumulative update, KB5094126, installed [1].

This is not an academic proof-of-concept sitting in a researcher's drawer. The exploit code is public, and every Windows endpoint running Defender is a potential target. The exploit's reliability varies by system; the researcher reports 100% success on some machines but inconsistent results on others [1]. Defenders need to act now, not when a patch drops.

The Researcher: Nightmare Eclipse

The person behind RoguePlanet goes by Nightmare Eclipse (also known as Chaotic Eclipse and Dead Eclipse). This researcher has an established track record. Prior zero-days attributed to the same researcher include BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, and MiniPlasma [1]. At least three of these (BlueHammer, RedSun, and UnDefend) were observed exploited in real-world attacks, forcing Microsoft to issue patches through subsequent Patch Tuesday and Defender platform updates. The pattern is consistent: find flaws in Microsoft's built-in security tooling, develop weaponized PoCs, and release them publicly when Microsoft does not patch fast enough.

Nightmare Eclipse's earlier exploits were hosted on GitHub and GitLab before Microsoft submitted takedown requests and the repositories were removed [1]. For RoguePlanet, the researcher published directly on a self-hosted Git repository (projectnightcrawler.dev), making platform-level takedowns ineffective [1]. The exploit is now widely circulated across security research communities.

The timing was deliberate. Releasing immediately after Patch Tuesday guarantees the maximum window before the next scheduled update cycle. Microsoft can ship Defender signature updates out-of-band, but a fix for a race condition in the scanning engine itself requires a platform-level update, not a signature push.

The Race Condition

RoguePlanet targets a race condition in Microsoft Defender's real-time scanning and remediation mechanism. The exploit was originally developed as a remote code execution (RCE) vulnerability that exploited Defender's handling of files hosted on remote SMB shares [1]. However, Microsoft silently hardened Defender in mid-May by patching the "mpengine!SysIO*" API, which blocked junction attacks and broke the RCE vector [1]. Nightmare Eclipse subsequently rewrote the exploit as a local privilege escalation (LPE) using a different code path.

The current LPE exploit works as follows, based on ThreatLocker's analysis: the exploit writes an EICAR test signature to a fake wermgr.exe file to trigger Defender's real-time remediation. It then monitors for the creation of a new HardDiskVolumeShadowCopy device and requests an oplock on the file's alternate data stream, creating a favorable timing window in Defender's remediation process. If the race condition is won, the result is that C:\Windows\System32\wermgr.exe is replaced with a copy of the attacker's payload.

Because Defender's scanning and remediation service runs as NT AUTHORITY\SYSTEM, the attacker's payload inherits those privileges [1].

Privilege Escalation Path

The practical result is straightforward. An attacker with standard user access on a Windows endpoint can trigger the race condition and obtain a SYSTEM-level command prompt [1]. From SYSTEM, every standard post-exploitation technique is available: credential dumping, persistence installation, lateral movement preparation, security tool tampering, and data exfiltration.

This is a local privilege escalation (LPE). The attacker needs an initial foothold on the target system first. That said, LPE vulnerabilities in security software are extremely valuable to threat actors because they collapse two steps (initial access + privilege escalation) into a rapid chain. Pair RoguePlanet with any commodity initial access vector (phishing, browser exploit, exposed RDP) and the attacker reaches SYSTEM in seconds.

Affected Systems

ThreatLocker confirmed the exploit works on fully patched Windows 11 with KB5094126 installed [1]. The vulnerability exists in the Defender engine itself, meaning Windows 10 systems running current Defender versions are also affected [1]. Any Windows endpoint relying on Microsoft Defender as the primary AV/EDR layer should be considered vulnerable until Microsoft ships a fix.

CVE Status and Source Conflicts

There is significant source confusion around CVE-2026-47281. Some outlets (threat-modeling.com, OpenVPN blog, Canadian Cyber Security Journal) associate this CVE with RoguePlanet, but Microsoft's official June Patch Tuesday listing identifies CVE-2026-47281 as a Visual Studio Code elevation-of-privilege vulnerability. The primary reporting from BleepingComputer, SecurityWeek, and ThreatLocker does not assign a CVE number to RoguePlanet [1]. We assess that the RoguePlanet Defender race condition does not yet have an assigned CVE. Defenders should treat RoguePlanet as unpatched and without an assigned CVE.

MITRE ATT&CK Mapping

Detection and Hunting

Detecting RoguePlanet exploitation requires watching for behaviors that standard signature-based detection will not catch, especially since the affected product is the detection tool itself.

Volume Shadow Copy and wermgr.exe Monitoring (Primary): The current exploit mechanism involves triggering Volume Shadow Copy creation and replacing C:\Windows\System32\wermgr.exe. Monitor for unexpected VSS activity (Windows Event IDs 8193/8194 from the VSS provider) and any non-Windows-Update process writing to or replacing wermgr.exe. Sysmon Event ID 11 (FileCreate) targeting C:\Windows\System32\wermgr.exe from a non-trusted process is a high-fidelity indicator.

EICAR Test File Creation: The exploit uses an EICAR test signature as a lure to trigger Defender remediation. Monitor for EICAR string creation in unexpected contexts, particularly in temporary directories or files named wermgr.exe. Defender itself should detect and remediate EICAR, so rapid create-detect-remediate cycles in unusual paths may indicate exploitation attempts.

Defender Service Anomalies: Monitor for unexpected restarts, crashes, or high CPU spikes in the MsMpEng.exe process. The race condition requires rapid file operations that can cause observable scanning engine instability. Alert on Windows Event ID 1002 (application hang) and Event ID 1000 (application error) for MsMpEng.exe.

SMB Activity Patterns (Secondary, for original RCE vector): The original (pre-May-patch) exploit vector involved files on remote SMB shares [1]. While the current public LPE does not use this vector, hunting for unusual SMB connections from endpoints to internal or external file shares remains prudent for detecting potential RCE variants.

SYSTEM-Level Process Spawning: The exploit produces a SYSTEM-level cmd.exe or equivalent shell. Monitor for cmd.exe or powershell.exe processes spawned as children of MsMpEng.exe or MpCmdRun.exe. These parent-child relationships are abnormal and should generate high-fidelity alerts. Sysmon Event ID 1 with ParentImage containing MsMpEng.exe and User equal to SYSTEM is a strong signal.

Oplock and Alternate Data Stream Activity: The exploit uses oplocks on alternate data streams to create the race condition. Monitor for unusual oplock requests on ADS, particularly in combination with Defender scan activity. This requires advanced filesystem monitoring capabilities.

Application Allowlisting Logs: ThreatLocker CEO Danny Jenkins stated that organizations using application allowlisting can block the exploit from executing [1]. Organizations running allowlisting solutions should review denial logs for blocked execution attempts originating from Defender's scan directories.

Analysis

Microsoft Defender is the default security tool on every Windows installation, representing a massive attack surface. A reliable LPE in Defender itself turns the primary defensive layer into an attack vector. Enterprise environments running Defender as their sole endpoint protection platform are most exposed.

The public availability of the PoC accelerates the timeline. Threat actors do not need to discover the vulnerability themselves or develop an exploit. The code is available, it has been independently validated by ThreatLocker, and it works on current patch levels [1]. We assess integration into commodity attack toolkits is likely within days to weeks, given the public availability and independent validation of the PoC.

Microsoft's response timeline matters enormously. Defender engine updates can ship outside the normal Patch Tuesday cycle through the Microsoft Defender Antivirus platform update channel. A race condition fix is more complex than a signature update, though. It requires modifying the scanning engine's file handling logic, which means testing across the full Windows version matrix. Based on historical Microsoft response times for Defender engine vulnerabilities, a patch could arrive within one to two weeks, but Microsoft has not provided a public timeline and the actual timeframe remains uncertain.

Organizations running third-party EDR alongside or instead of Defender have a natural buffer. Those relying exclusively on Defender, which includes a significant portion of SMB and mid-market enterprises, face the highest risk.

References

[1] https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/

[2] https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges

[3] https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/

[4] https://www.darkreading.com/vulnerabilities-threats/nightmare-eclipse-microsoft-exploit-rogueplanet

Competing Hypotheses

Multiple sources offer competing assessments on key analytic questions in this report. The body above reflects the assessed primary line; alternative hypotheses and the indicators that would shift the assessment are surfaced below for analyst review.

China

Question 1.

Primary assessment. Does the downgraded Taiwan invasion timeline reduce or increase the cyber threat?

Alternative hypothesis. View A: The IC assessment that China doesn't plan a 2027 invasion suggests reduced near-term military risk. Source: [22] | View B: The briefing argues (and sources support) that below-threshold cyber and influence operations may intensify as substitutes for kinetic action. Sources: [19], [22], [17]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Is Storm-1175 a state-directed Chinese APT or a financially motivated cybercriminal group?

Alternative hypothesis. View A: The Hacker News [12] labels Storm-1175 as 'China-Linked,' implying state nexus. The briefing places it alongside state-directed infrastructure pre-positioning activities. | View B: Microsoft's primary source describes Storm-1175 as a 'financially motivated cybercriminal' actor, which is distinct from state-directed espionage groups. Web verification confirms Microsoft's characterization.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Have PLA purges degraded China's military capabilities?

Alternative hypothesis. View A: The IISS assessed the purges left the military with 'serious deficiencies in its command structure' and PLA exercises took substantially longer to implement in 2025. Sources: [28], [14] | View B: The leadership purges have 'not significantly disrupted the PLA's normal functions or operations' and the effects are temporary, with some arguing the PLA may compensate with more aggressive activity. Sources: [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Why did PLAAF incursions into Taiwan's ADIZ decline in early 2026?

Alternative hypothesis. View A: Beijing may be trying to avoid escalating tensions ahead of the Trump-Xi summit (diplomatic signal). Sources: [17] | View B: The decline could relate to ongoing PLA leadership purges that have had a 'paralyzing effect' on the military (operational disruption). Sources: [17], [14], [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 5.

Primary assessment. How many organizations has Salt Typhoon compromised?

Alternative hypothesis. View A: Source [10] and FBI officials cite 'at least 200 companies' worldwide (August 2025 figure). | View B: The Global Cyber Alliance and Nextgov/FCW (August 2025) report that 600+ organizations were notified by the FBI of Salt Typhoon interest in their systems, across 80+ countries, suggesting a much larger scope than 200 confirmed compromises.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 6.

Primary assessment. Will the SCOTUS IEEPA ruling lead to reduced tariffs on China?

Alternative hypothesis. View A: The ruling invalidates all IEEPA tariffs, potentially leading to lower tariff rates on Chinese goods [24]. | View B: The President immediately imposed replacement tariffs under Section 122 of the Trade Act of 1974 (confirmed via web search), with administration officials stating the goal is 'virtually unchanged tariff revenue.' The briefing's Outlook scenario that 'the ruling leads to a reduction in tariffs' may already be overtaken by events.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 7.

Primary assessment. What is the impact of PLA purges on China's cyber capabilities?

Alternative hypothesis. View A: Purges cause 'serious deficiencies' in PLA command structure that are 'likely to be a temporary disturbance' (IISS via [17]). | View B: Red Sheep assessment suggests purges may be motivated by operational security failures related to cyber operation exposure (I-Soon, Expedition Cloud leaks), which could lead to tighter compartmentalization. Source [16] quotes Xi on disloyalty but doesn't specify cyber-related concerns.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 8.

Primary assessment. Has Salt Typhoon been remediated from major U.S. telecom networks?

Alternative hypothesis. View A: Salt Typhoon has NOT been fully remediated: Senate expert testimony, TechCrunch reporting, and FBI officials indicate hackers are 'likely still inside U.S. networks' [9][10]. The FBI's top cyber official said threats are 'still very much ongoing' (confirmed via web search from CyberScoop, Feb 2026). | View B: Major telecoms claim remediation: AT&T stated in late 2024 it detected 'no activity by nation-state actors' and Verizon claimed to have 'contained the cyber incident' (per web search results). However, both companies have refused to provide documentation to the Senate [9].

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Hunt Guide: Hunt Report: RoguePlanet Zero-Day — Microsoft Defender Race Condition LPE to SYSTEM

Hypothesis: If the RoguePlanet exploit (or derivatives) is being used in our environment, we expect to observe anomalous writes to C:\Windows\System32\wermgr.exe, unexpected Volume Shadow Copy creation, EICAR test signature artifacts in non-test contexts, and SYSTEM-level shell processes spawned as children of MsMpEng.exe in Sysmon, Windows Security, and Defender operational logs.

Intelligence Summary: On 9 June 2026, security researcher Nightmare Eclipse publicly released RoguePlanet, a working zero-day local privilege escalation exploit targeting a race condition in Microsoft Defender's real-time scanning engine. The exploit, independently validated by ThreatLocker on fully patched Windows 10/11 (KB5094126), allows a standard user to replace C:\Windows\System32\wermgr.exe with an attacker payload that inherits NT AUTHORITY\SYSTEM privileges via Defender's remediation service. No patch or CVE has been assigned; the PoC is publicly available and expected to be integrated into commodity attack toolkits imminently.

Confidence: High | Priority: Critical

Scope

• Networks: All Windows endpoints across the enterprise running Microsoft Defender as primary AV/EDR. Priority on endpoints in clinical, administrative, and server segments. Include all Windows 10 and Windows 11 systems regardless of patch level.
• Timeframe: Immediate start with continuous monitoring. Primary retrospective hunt window: 9 June 2026 (exploit public release) through present. Extended window: 15 May 2026 (Microsoft's silent hardening of mpengine SysIO API) through present to catch early exploitation of pre-patch RCE variant. Continue until Microsoft ships Defender platform update addressing the race condition.
• Priority Systems: Domain controllers, medical records systems (AHLTA/MHS GENESIS endpoints), systems with access to PII/PHI, privileged workstations (admin jump boxes), Exchange/email servers running Defender, systems in DMZ segments, endpoints used by high-value personnel (leadership, IT administrators, finance). Any system where Defender is the sole endpoint protection layer.

MITRE ATT&CK Techniques

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

RoguePlanet exploits a race condition in Microsoft Defender's real-time remediation to replace wermgr.exe with an attacker payload, gaining SYSTEM privileges. The exploit writes an EICAR test signature to trigger Defender scanning, monitors for HardDiskVolumeShadowCopy creation, requests an oplock on the file's alternate data stream, and wins the race to replace the legitimate system binary.

Splunk SPL:

index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="C:\\Windows\\System32\\wermgr.exe") OR (sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*wermgr.exe*") | eval alert_context=case(EventCode=11, "Sysmon FileCreate", EventCode=4663, "Security ObjectAccess") | where NOT match(Image, "(?i)(TrustedInstaller|TiWorker|msiexec|svchost)") | table _time, host, Image, ProcessId, TargetFilename, ObjectName, alert_context | sort -_time

Elastic KQL:

(event.code:"11" AND file.path:"C\:\\Windows\\System32\\wermgr.exe") OR (event.code:"4663" AND winlog.event_data.ObjectName:"*wermgr.exe*") AND NOT process.executable:(*TrustedInstaller* OR *TiWorker* OR *msiexec*)

Sigma Rule:

title: RoguePlanet - Suspicious wermgr.exe File Replacement
id: a1e2f3c4-d5b6-4a7e-8c9d-0e1f2a3b4c5d
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects non-trusted processes writing to or replacing C:\Windows\System32\wermgr.exe, a key indicator of the RoguePlanet Defender race condition exploit.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
  - https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith: '\wermgr.exe'
    TargetFilename|startswith: 'C:\Windows\System32'
  filter_trusted:
    Image|contains:
      - 'TrustedInstaller'
      - 'TiWorker'
      - 'msiexec'
      - 'svchost'
      - 'WinSxS'
  condition: selection and not filter_trusted
falsepositives:
  - Windows Update or servicing stack operations not covered by filter
  - System imaging or deployment tools
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068

This is the highest-fidelity detection for RoguePlanet. wermgr.exe (Windows Error Reporting Manager) is rarely written to outside Windows Update. Any non-servicing-stack write is highly suspicious. Tune filter for your patching tools (SCCM, Intune, etc.).

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P2]

The RoguePlanet exploit triggers Volume Shadow Copy creation as part of the race condition exploitation chain. Unexpected VSS activity on workstations, particularly in close temporal proximity to wermgr.exe modifications, is a strong indicator of exploitation.

Splunk SPL:

index=windows sourcetype="WinEventLog:Application" (EventCode=8193 OR EventCode=8194) SourceName="VSS" | bucket _time span=5m | stats count by _time, host | where count > 2 | join type=left host [search index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*wermgr.exe*" | table _time, host, Image] | table _time, host, count, Image

Elastic KQL:

event.code:("8193" OR "8194") AND winlog.provider_name:"VSS"

Sigma Rule:

title: RoguePlanet - Unexpected Volume Shadow Copy Activity on Workstation
id: b2f3e4d5-c6a7-4b8f-9d0e-1f2a3b4c5d6e
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects unexpected Volume Shadow Copy provider events that may indicate RoguePlanet exploitation. VSS activity on workstations is uncommon outside backup windows.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
logsource:
  product: windows
  service: application
detection:
  selection:
    Provider_Name: 'VSS'
    EventID:
      - 8193
      - 8194
  condition: selection
falsepositives:
  - Legitimate backup software (Veeam, Commvault, Windows Backup)
  - System Restore point creation
level: medium
tags:
  - attack.privilege_escalation
  - attack.t1068

VSS events alone are medium fidelity. Correlate with wermgr.exe writes and EICAR detections within a 60-second window for high confidence. Filter backup software and System Restore scheduled tasks. Focus on workstations, not servers running backup agents.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

The exploit writes an EICAR test signature to a fake wermgr.exe file to trigger Defender's real-time remediation. EICAR detections in non-test contexts, especially in System32 or temp directories with filenames matching system binaries, are strong indicators of RoguePlanet exploitation attempts.

Splunk SPL:

index=windows sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode=1116 OR EventCode=1117) ThreatName="*EICAR*" | eval suspicious=if(match(Path, "(?i)(wermgr|System32|temp|appdata)"), "YES", "NO") | where suspicious="YES" | table _time, host, ThreatName, Path, Action, ProcessName | sort -_time

Elastic KQL:

(event.code:"1116" OR event.code:"1117") AND winlog.provider_name:"Microsoft-Windows-Windows Defender" AND winlog.event_data.ThreatName:*EICAR* AND (winlog.event_data.Path:*wermgr* OR winlog.event_data.Path:*System32* OR winlog.event_data.Path:*Temp*)

Sigma Rule:

title: RoguePlanet - EICAR Test Signature in Suspicious Context
id: c3a4b5d6-e7f8-4c9d-0a1b-2c3d4e5f6a7b
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects Microsoft Defender detecting EICAR test signatures in paths associated with system binaries or temp directories, indicating possible RoguePlanet exploitation.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
logsource:
  product: windows
  service: windefend
detection:
  selection_event:
    EventID:
      - 1116
      - 1117
  selection_eicar:
    ThreatName|contains: 'EICAR'
  selection_path:
    Path|contains:
      - 'wermgr'
      - 'System32'
      - '\\Temp\\'
  condition: selection_event and selection_eicar and selection_path
falsepositives:
  - Legitimate security testing using EICAR in System32 paths (very rare)
  - Red team exercises
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068

EICAR in System32 or near system binary names should never occur in production. This detection has very low false positive rates. Coordinate with red team/pentest schedules to whitelist authorized EICAR testing.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

Successful RoguePlanet exploitation produces a SYSTEM-level shell (cmd.exe, powershell.exe) as a child process of MsMpEng.exe or MpCmdRun.exe. This parent-child relationship is never legitimate and represents the highest-fidelity detection for successful exploitation.

Splunk SPL:

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (ParentImage="*MsMpEng.exe" OR ParentImage="*MpCmdRun.exe") (Image="*cmd.exe" OR Image="*powershell.exe" OR Image="*pwsh.exe" OR Image="*conhost.exe" OR Image="*wscript.exe" OR Image="*cscript.exe" OR Image="*mshta.exe" OR Image="*rundll32.exe" OR Image="*regsvr32.exe") | table _time, host, User, ParentImage, ParentProcessId, Image, CommandLine, ProcessId | sort -_time

Elastic KQL:

event.code:"1" AND process.parent.executable:(*MsMpEng.exe OR *MpCmdRun.exe) AND process.executable:(*cmd.exe OR *powershell.exe OR *pwsh.exe OR *wscript.exe OR *cscript.exe OR *mshta.exe OR *rundll32.exe OR *regsvr32.exe)

Sigma Rule:

title: RoguePlanet - Shell Process Spawned by Microsoft Defender Engine
id: d4b5c6e7-f8a9-4d0e-1b2c-3d4e5f6a7b8c
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects shell or scripting engine processes spawned as children of MsMpEng.exe or MpCmdRun.exe, indicating successful RoguePlanet exploitation or similar Defender abuse.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
  - https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\MsMpEng.exe'
      - '\MpCmdRun.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\conhost.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\bash.exe'
  condition: selection_parent and selection_child
falsepositives:
  - None known. MsMpEng.exe should never spawn interactive shells.
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.execution
  - attack.t1059

This is effectively a zero-false-positive detection. MsMpEng.exe should NEVER spawn cmd.exe, powershell.exe, or scripting engines. Any hit is confirmed malicious or warrants immediate investigation. Ensure Sysmon is capturing ParentImage fields correctly.

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P2]

After achieving SYSTEM via RoguePlanet, attackers can disable or tamper with Microsoft Defender itself. Monitor for Defender service stops, tamper protection bypass, or configuration changes from unexpected processes.

Splunk SPL:

index=windows (sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode=5001 OR EventCode=5010 OR EventCode=5012 OR EventCode=5013 OR EventCode=5101)) OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="*Set-MpPreference*DisableRealtimeMonitoring*") OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13 TargetObject="*Windows Defender*DisableAntiSpyware*") | table _time, host, EventCode, Message, CommandLine, Image, TargetObject | sort -_time

Elastic KQL:

(event.code:("5001" OR "5010" OR "5012" OR "5013" OR "5101") AND winlog.provider_name:"Microsoft-Windows-Windows Defender") OR (event.code:"1" AND process.command_line:*Set-MpPreference*DisableRealtimeMonitoring*) OR (event.code:"13" AND registry.path:*DisableAntiSpyware*)

Sigma Rule:

title: Post-Exploitation Defender Tampering After RoguePlanet
id: e5c6d7f8-a9b0-4e1f-2c3d-4e5f6a7b8c9d
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects Microsoft Defender being disabled or tampered with, which is an expected post-exploitation action after gaining SYSTEM via RoguePlanet.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
logsource:
  product: windows
  service: windefend
detection:
  selection:
    EventID:
      - 5001
      - 5010
      - 5012
      - 5013
      - 5101
  condition: selection
falsepositives:
  - Legitimate Defender management via GPO or Intune
  - Third-party AV installation replacing Defender
level: high
tags:
  - attack.defense_evasion
  - attack.t1562.001

Correlate Defender disablement events with wermgr.exe replacement or anomalous Defender child processes within a 5-minute window. Defender disablement alone is medium fidelity; combined with RoguePlanet indicators it becomes critical.

T1003 — OS Credential Dumping (Credential Access) [P2]

SYSTEM-level access obtained via RoguePlanet enables credential dumping of SAM, LSA secrets, NTDS, and cached credentials. Monitor for post-exploitation credential harvesting tools and techniques.

Splunk SPL:

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10 TargetImage="*lsass.exe" GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x143a") | eval suspicious_caller=if(match(SourceImage, "(?i)(mimikatz|procdump|taskmgr|comsvcs|rundll32|notepad|cmd|powershell)"), "HIGH", "MEDIUM") | table _time, host, SourceImage, SourceProcessId, TargetImage, GrantedAccess, suspicious_caller | sort -_time

Elastic KQL:

event.code:"10" AND winlog.event_data.TargetImage:*lsass.exe AND winlog.event_data.GrantedAccess:("0x1010" OR "0x1038" OR "0x1fffff" OR "0x143a")

Sigma Rule:

title: LSASS Access After Potential RoguePlanet Exploitation
id: f6d7e8a9-b0c1-4f2a-3b4c-5d6e7f8a9b0c
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects suspicious access to LSASS process memory, which is an expected post-exploitation action after gaining SYSTEM privileges via RoguePlanet.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1038'
      - '0x1fffff'
      - '0x143a'
  filter_legitimate:
    SourceImage|endswith:
      - '\MsMpEng.exe'
      - '\csrss.exe'
      - '\wmiprvse.exe'
      - '\svchost.exe'
  condition: selection and not filter_legitimate
falsepositives:
  - Security products accessing LSASS for scanning
  - Legitimate system diagnostics tools
level: high
tags:
  - attack.credential_access
  - attack.t1003.001

Correlate LSASS access with RoguePlanet exploitation indicators (wermgr.exe replacement, Defender child process shells) for high-confidence detections. Ensure Sysmon ProcessAccess logging is enabled for lsass.exe.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P2]

Monitor for Defender engine crashes and hangs that may indicate race condition exploitation attempts. The exploit's rapid file operations can cause observable instability in MsMpEng.exe.

Splunk SPL:

index=windows sourcetype="WinEventLog:Application" (EventCode=1000 OR EventCode=1002) Application_Name="MsMpEng.exe" | bucket _time span=1h | stats count as crash_count by _time, host | where crash_count >= 2 | table _time, host, crash_count

Elastic KQL:

(event.code:"1000" OR event.code:"1002") AND winlog.event_data.Application:*MsMpEng.exe*

Sigma Rule:

title: RoguePlanet - Microsoft Defender Engine Crash or Hang
id: a7e8f9b0-c1d2-4a3b-5c6d-7e8f9a0b1c2d
status: experimental
author: RedSheep Security/Stone
date: 2026/06/11
description: Detects MsMpEng.exe application errors or hangs that may indicate RoguePlanet race condition exploitation attempts causing Defender engine instability.
references:
  - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
logsource:
  product: windows
  service: application
detection:
  selection:
    EventID:
      - 1000
      - 1002
    Application|contains: 'MsMpEng'
  condition: selection
falsepositives:
  - Legitimate Defender engine updates
  - Resource exhaustion on busy servers
level: medium
tags:
  - attack.privilege_escalation
  - attack.t1068

MsMpEng.exe crashes are relatively rare on healthy systems. Multiple crashes in a short window (2+ per hour) should trigger investigation. Correlate with other RoguePlanet indicators. Single crashes may be benign.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=web OR sourcetype=stream:dns OR sourcetype=pan:traffic) (query="*projectnightcrawler.dev*" OR url="*projectnightcrawler.dev*" OR dest="*projectnightcrawler.dev*" OR host="*projectnightcrawler.dev*" OR dest_host="*projectnightcrawler.dev*") | table _time, src_ip, dest_ip, query, url, action | sort -_time

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="C:\\Windows\\System32\\wermgr.exe" | where NOT match(Image, "(?i)(TrustedInstaller|TiWorker|msiexec|svchost|wuauclt|UsoClient)") | table _time, host, Image, ProcessId, TargetFilename

index=windows sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode=1116 OR EventCode=1117) ThreatName="*EICAR*" | table _time, host, ThreatName, Path, Action, ProcessName | sort -_time

YARA Rules

RoguePlanet_EICAR_WermgrExploit — Detects files containing the EICAR test string in combination with wermgr.exe references or Windows Error Reporting artifacts, which may indicate RoguePlanet exploit staging files.

rule RoguePlanet_EICAR_WermgrExploit
{
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects potential RoguePlanet exploit staging: EICAR test string combined with wermgr references"
        date = "2026-06-11"
        reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/"
        severity = "critical"
    strings:
        $eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii wide
        $wermgr1 = "wermgr" ascii wide nocase
        $wermgr2 = "WerFault" ascii wide nocase
        $shadowcopy = "HardDiskVolumeShadowCopy" ascii wide
        $oplock = "oplock" ascii wide nocase
        $mpengine = "mpengine" ascii wide nocase
    condition:
        $eicar and (any of ($wermgr*) or $shadowcopy or $oplock or $mpengine)
}

RoguePlanet_ExploitTool — Detects potential RoguePlanet exploit tool binaries or scripts based on unique string combinations related to the Defender race condition exploitation chain.

rule RoguePlanet_ExploitTool
{
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects RoguePlanet exploit tool artifacts targeting Microsoft Defender race condition"
        date = "2026-06-11"
        reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/"
        severity = "critical"
    strings:
        $s1 = "RoguePlanet" ascii wide nocase
        $s2 = "NightmareEclipse" ascii wide nocase
        $s3 = "Nightmare Eclipse" ascii wide nocase
        $s4 = "ChaoticEclipse" ascii wide nocase
        $s5 = "DeadEclipse" ascii wide nocase
        $s6 = "projectnightcrawler" ascii wide nocase
        $technique1 = "HardDiskVolumeShadowCopy" ascii wide
        $technique2 = "MsMpEng" ascii wide
        $technique3 = "wermgr.exe" ascii wide
        $technique4 = "EICAR" ascii wide
        $technique5 = "mpengine" ascii wide nocase
        $technique6 = "SysIO" ascii wide
    condition:
        any of ($s*) or (3 of ($technique*))
}

Suricata Rules

SID 2026061101 — Detects DNS lookup for projectnightcrawler.dev, the self-hosted repository hosting RoguePlanet exploit code

alert dns $HOME_NET any -> any any (msg:"HUNT RoguePlanet - DNS Lookup for projectnightcrawler.dev"; dns.query; content:"projectnightcrawler.dev"; nocase; classtype:trojan-activity; sid:2026061101; rev:1; metadata:created_at 2026_06_11, updated_at 2026_06_11;)

SID 2026061102 — Detects HTTP/TLS connection to projectnightcrawler.dev, indicating potential RoguePlanet exploit download

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT RoguePlanet - HTTP Request to projectnightcrawler.dev"; http.host; content:"projectnightcrawler.dev"; nocase; classtype:trojan-activity; sid:2026061102; rev:1; metadata:created_at 2026_06_11, updated_at 2026_06_11;)

SID 2026061103 — Detects TLS SNI connection to projectnightcrawler.dev for exploit code retrieval

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT RoguePlanet - TLS SNI to projectnightcrawler.dev"; tls.sni; content:"projectnightcrawler.dev"; nocase; classtype:trojan-activity; sid:2026061103; rev:1; metadata:created_at 2026_06_11, updated_at 2026_06_11;)

Data Source Requirements

Recommendations

• IMMEDIATE (P1): Deploy all Sigma rules and Splunk/Elastic queries from this report across production SIEM instances. The MsMpEng.exe child process detection (Sigma rule d4b5c6e7) and wermgr.exe file replacement detection (Sigma rule a1e2f3c4) are zero/near-zero false positive and should generate immediate SOC alerts.
• IMMEDIATE (P1): Validate Sysmon deployment fleet-wide with EventID 1 (ProcessCreate with ParentImage), EventID 10 (ProcessAccess for lsass.exe), and EventID 11 (FileCreate for C:\Windows\System32\) enabled. Systems without Sysmon are blind to the highest-fidelity RoguePlanet detections.
• IMMEDIATE (P1): Block projectnightcrawler.dev at DNS, proxy, and firewall layers. Deploy Suricata rules SID 2026061101-2026061103 on network sensors.
• IMMEDIATE (P1): Verify Defender Tamper Protection is enabled fleet-wide via Get-MpComputerStatus | Select-Object IsTamperProtected. Tamper Protection does not prevent RoguePlanet exploitation but raises the bar for post-exploitation Defender disablement.
• SHORT-TERM (P1): Conduct a fleet-wide hash validation of C:\Windows\System32\wermgr.exe against known-good Microsoft baselines. Any non-Microsoft-signed wermgr.exe is a confirmed compromise indicator.
• SHORT-TERM (P1): Subscribe to MSRC notifications (https://msrc.microsoft.com) and the Defender platform update channel. Pre-stage deployment pipeline to push the Defender engine update within 4 hours of release. This is a platform update, not a signature push — standard Defender signature update channels will not deliver this fix.
• SHORT-TERM (P2): Evaluate and fast-track application allowlisting deployment (e.g., ThreatLocker, Airlock Digital, AppLocker) on critical systems. ThreatLocker confirmed allowlisting blocks the RoguePlanet exploit chain.
• SHORT-TERM (P2): For organizations with third-party EDR deployed alongside Defender, verify the third-party EDR can detect wermgr.exe replacement and anomalous Defender child processes independently of Defender itself. The compromised tool cannot be relied upon to detect its own exploitation.
• MEDIUM-TERM (P2): Audit SMB share access from endpoints using Windows Security EventID 5145 to detect potential use of the original RCE vector (patched in mid-May 2026 via mpengine SysIO API hardening). While the current public exploit is LPE-only, variants may revert to the SMB-based RCE path on systems with older Defender engine versions.
• MEDIUM-TERM (P3): Review and baseline Defender engine crash rates (Application EventID 1000/1002 for MsMpEng.exe) across the fleet to establish normal thresholds. Elevated crash rates on specific endpoints may indicate failed exploitation attempts.

Sources

• Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Privileges - BleepingComputer
• Microsoft Defender Zero-Day RoguePlanet Grants SYSTEM Privileges - ThreatLocker Blog
• New Windows Zero-Day Exploit RoguePlanet Released - SecurityWeek
• Nightmare Eclipse Microsoft Exploit RoguePlanet - Dark Reading