Analytics Story: BlueHammer
Description
Detect activity associated with BlueHammer exploit. Released by Nightmare-Eclipse on GitHub alongside RedSun and UnDefend, it is part of a set of attacks that abuse Windows Defender to disrupt the system or elevate privileges.
Why it matters
BlueHammer is a Windows local privilege escalation (LPE) exploit that allows a threat actor who already has a foothold on a system to elevate from a low-privileged user account to full SYSTEM-level control. It abuses the Windows Defender update process via Volume Shadow Copy, using Cloud Files callbacks and oplocks to pause Defender at a critical moment — exposing the SAM, SYSTEM, and SECURITY registry hives. This enables an attacker to read the SAM database, decrypt NTLM password hashes, take over a local administrator account, and spawn a SYSTEM-level shell, while restoring the original hash to avoid detection.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4723 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 15 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 23 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4724 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- http://huntress.com/blog/nightmare-eclipse-intrusion
- https://github.com/Nightmare-Eclipse/BlueHammer
- https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained
Source: GitHub | Version: 1