Executive Summary
On 3 April 2026, a disgruntled security researcher publicly released a working proof-of-concept for an unpatched Windows local privilege escalation (LPE) vulnerability named BlueHammer. The flaw combines a time-of-check to time-of-use (TOCTOU) race condition and path-confusion issue in Windows Defender’s signature-update mechanism. It allows a low-privileged local user to access the SAM database, dump NTLM hashes, and escalate to SYSTEM or elevated administrator rights via pass-the-hash techniques.
A separate GitHub repository provides a fully documented reimplementation, including complete Visual Studio 2022 build instructions, dependency list (vcpkg), and precompiled binaries (SNEK_BlueWarHammer.exe, Release v1.0.0). This removes most technical hurdles for compilation and execution. The original researcher’s PoC contained bugs and lacked instructions. However, the SNEK fork addresses this gap. The exploit does not work reliably on Windows Server editions and is limited to non-admin → elevated admin elevation requiring temporary authorization for full SYSTEM access.
Microsoft has acknowledged the private report but has not issued a patch. The vulnerability remains a zero-day as of this writing.
Technical Details
Vulnerability:
- TOCTOU race condition and path confusion in Windows Defender’s signature-update mechanism (via Windows Update Agent COM interfaces), enabling file writes into protected directories and subsequent access to the SAM hive via symbolic links and Volume Shadow Copy Service.
Exploit chain:
- Trigger Defender signature update →
- Extract cabinet and force write to restricted path →
- Leak SAM hashes →
- Pass-the-hash to spawn elevated shell
Requirements:
- Local access + running Windows Defender
- No remote exploitation vector
Limitations:
- Unreliable on Windows Server editions
- Timing-dependent on Defender updates
- May fail under modern mitigations or insufficient rights
- Original PoC contained bugs (addressed in the SNEK reimplementation)
Public status:
- Full build documentation and precompiled Release v1.0.0 binary available.
- The repository has a low but growing interest.
- Issue #1 demonstrates real user testing on Windows 10 22H2 (build 19045), with reports of hanging at “Waiting for oplock to trigger,” Defender behavioral alerts, and questions about signature detection.
- Community replies emphasize checking SAM dump output for success and note “Code with agent mode” availability.
Key Takeaways
- A working Windows local privilege escalation zero-day (BlueHammer / Blue-War-Hammer) has been publicly released. The SNEK reimplementation repository provides full Visual Studio 2022 build instructions, dependencies via vcpkg, and a precompiled binary (SNEK_BlueWarHammer.exe v1.0.0), significantly lowering the barrier for script kiddies and low-skill attackers.
- The exploit abuses a TOCTOU race condition and path confusion in Windows Defender’s signature update mechanism, allowing any local user to dump SAM NTLM hashes and escalate privileges on Windows 10/11 client systems via pass-the-hash.
- The vulnerability does not reliably affect Windows Server editions and requires only local access, making it relevant for retail, hospitality, and travel fleets of POS terminals, kiosks, and back-office workstations.
- Public interest is evident: Issue #1 (“Failed to Run POC”) The reporter tested the POC on Windows 10 build 19045 and observed it hanging at “Waiting for oplock to trigger” in a VM. On their local machine, it triggered a Windows Defender alert with no SYSTEM CMD shell. They asked if the binary already had a signature in Defender.
- Replies clarified: Defender likely behaviorally blocked execution on the host before completion, while the oplock never triggered inside the VM because Defender had not accessed the file. Success is indicated by SAM dump/log output rather than a spawned shell. The shell-spawning mechanic is described as rudimentary and not guaranteed due to exploit unreliability and Defender’s protections. One reply also noted availability of “Code with agent mode.”
- Microsoft has been privately notified but has not issued a patch.
IOCs
Precompiled binary v1.0.0
Filename |
SNEK_BlueWarHammer.exe |
MD5 |
5f9ee4e52da38191c3fdf2da567cc903 |
SHA1 |
c885f1e77f08428cc628d9cb86cf4a10c09dd3b1 |
SHA256 |
c6baa5ec9ea2c2802a90acad5a53453d176a02e04a31ac8e9b7b34b5e3329b84 |
