u/TakesThisSeriously

Chaotic Eclipse's third Windows Defender zero-day this month. No admin required.

Four independent locking mechanisms in 452 lines of C++: backup files locked before the attack starts (rollback is dead immediately), ReadDirectoryChangesW watches the Definition Updates staging directory with FILE_SHARE_WRITE but no FILE_SHARE_READ (Windows Update can keep writing, MsMpEng.exe gets STATUS_SHARING_VIOLATION on every signature load), NotifyServiceStatusChangeW catches engine restarts during platform updates, and MRTWorkerThread covers the Malicious Software Removal Tool separately.

The README mentions a fifth mechanism the author withheld: a way to lie to the EDR console via MSFT_MpComputerStatus so the dashboard shows current signatures while the real files are locked and stale. Without it: noisy update errors. With it: silent indefinite detection window.

BlueHammer patched Tuesday. RedSun unpatched. UnDefend has no CVE.

Most writeups of BlueHammer describe what it does. I read the actual PoC (FunnyApp.cpp, ~100KB of C++) and the most important line isn't in the oplock setup, the NT object namespace redirect, or the Cloud Files freeze. It's a comment.

The filestoleak array ships with one target active and two commented out:

const wchar\_t\* filestoleak\[\] = { {L"\\\\Windows\\\\System32\\\\Config\\\\SAM"}
/\*,{L"\\\\Windows\\\\System32\\\\Config\\\\SYSTEM"},{L"\\\\Windows\\\\System32\\\\Config\\\\SECURITY"}\*/
};

SAM alone is a partial dump. The hashes are encrypted with the boot key — which lives in SYSTEM. Without SYSTEM you have ciphertext. With SAM + SYSTEM you have NTLM hashes you can pass-the-hash or crack offline. SECURITY adds LSA secrets: service account credentials, cached domain logon hashes, DPAPI master keys.

The complete credential package is two uncommented lines away from the published PoC. The author wrote both lines and chose what to ship.

Full analysis walks the actual code: the batch oplock on RstrtMgr.dll (not the EICAR file — that's what most writeups get wrong), the NtCreateSymbolicLinkObject swap in the session object namespace (not NTFS symlinks — a different layer entirely), the Cloud Files freeze via a fake OneDrive sync provider named IHATEMICROSOFT, and the undocumented IMpService RPC endpoint that triggers the chain with no elevated privilege required.