Disgruntled Researcher Drops Windows Exploits for Revenge (Twice)

A researcher known as Nightmare Eclipse dropped two Windows Defender zero-day exploits on GitHub after allegedly being stiffed by Microsoft's bug bounty program (MSRC). The first exploit, 'Blue Hammer,' uses a time-of-check time-of-use (TOCTOU) race condition in Defender's update mechanism to replace a VDM file with a symlink to the SAM hive, then leverages a VSS snapshot to extract credential hashes and perform a pass-the-hash attack for SYSTEM privileges. The second exploit, 'Red Sun,' abuses Defender's behavior of writing back cloud-tagged malicious files to their original location, combined with a TOCTOU race and mount point redirection, to write attacker-controlled content into System32 as a service. Both exploits achieve local privilege escalation from a regular user to SYSTEM. The post also clarifies that Rust's memory safety guarantees would not have prevented these logic-level race conditions.