RoguePlanet: A Microsoft Defender Zero-Day That Hands Out SYSTEM

RoguePlanet: When the AV Itself Hands You SYSTEM

Hey Guys! This one has a special kind of irony to it. Within hours of the June 2026 Patch Tuesday, a researcher dropped a new Windows zero-day called RoguePlanet, and the attack surface is Microsoft Defender itself. The tool we lean on every day to keep endpoints clean can be coaxed into handing an attacker a SYSTEM shell. Worth flagging up front: as of writing there is no CVE and no advisory for this one, which makes it an awkward thing to track and a very real thing to defend against.

What is RoguePlanet?

RoguePlanet is a local privilege escalation that abuses a time-of-check to time-of-use (TOCTOU) race condition in Microsoft Defender’s file handling and quarantine path. Defender runs as SYSTEM, and during remediation it performs privileged file operations. The exploit stages a file, then flips a directory to a reparse or junction point at exactly the right moment, so Defender’s SYSTEM level write follows the link to a location the attacker controls. Win the race and you get a command prompt running as NT AUTHORITY\SYSTEM, the highest privilege level on the box.

It is the same primitive the researcher’s earlier BlueHammer exploit used, where Defender’s privileged writes were redirected through NTFS junction points into C:\Windows\System32. In an earlier form, RoguePlanet could reportedly reach RCE by luring a victim into opening a .vhd(x) from a remote SMB share, but Microsoft’s May mitigations closed parts of that path, and the public PoC today is the LPE variant.

Because it is a race, reliability varies. The researcher describes it as hit or miss, 100 percent on some machines and inconsistent on others. That does not really help defenders, since an attacker with a foothold just retries until it lands.

Am I affected?

Most likely yes, if you run Windows 10 or 11 with Defender as the primary antimalware. The uncomfortable part is that it was independently reproduced on fully patched systems, including Windows 11 with the June 2026 cumulative update installed. The public PoC does not work on Windows Server in its current form, because standard users there cannot mount the disk image it relies on, though the researcher believes Server is vulnerable with more effort.

Being precise on status: there is no CVE, no advisory, and no patch yet. RoguePlanet itself has not been seen exploited in the wild so far, but the same researcher’s earlier tools (BlueHammer, RedSun, UnDefend) were folded into real attack chains before their patches landed, so “nobody is using it yet” is not much comfort. Treat it as a when, not an if.

Detection: what to hunt for

No patch to deploy means this lands squarely on detection and response. A few angles to turn into hunts or rules:

• An interactive shell or scripting host (cmd.exe, powershell.exe) running at SYSTEM whose parent process is MsMpEng.exe, the Defender engine. Defender legitimately never spawns you a SYSTEM shell, so this is the cleanest single signal here.
• Defender remediation events (Microsoft-Windows-Windows Defender/Operational, for example Event ID 1116 detection followed by 1117 action taken) closely followed by an unexpected SYSTEM process on the same host.
• EICAR style detections landing on or near a system binary path. The PoC plants a lure, such as a fake wermgr.exe, specifically to kick off Defender remediation on a file it should never be cleaning.
• Junction points, reparse points or directory swaps appearing right before or during Defender remediation, especially anything pointing into System32 or another privileged location.
• A burst of rapid, repeated Defender remediation on the same file. A lost race gets retried, so repetition is itself a tell.
• The original delivery angle is still worth watching: .vhd(x) images mounted from remote SMB shares, correlated with Defender scan activity.

Map it to ATT&CK around T1068 (Exploitation for Privilege Escalation), with the file redirection primitive sitting close to T1574, plus the obvious defense evasion overlap since the security product is the vehicle.

One caveat worth stating clearly: Microsoft has pushed a Defender signature that flags the compiled PoC (reported as Exploit:Win32/DfndrRugPlnt.BB). That catches the specific public sample, not the underlying technique, so do not read a clean scan as “safe.” A recompiled or reworked variant will sail straight past it.

Mitigation and hardening

No patch yet, so this is about compensating controls and shrinking the blast radius:

• Application allowlisting (WDAC, AppLocker or equivalent) in enforced mode was demonstrated to block the PoC from executing. Right now this is the strongest single control.
• Turn on Defender Tamper Protection and run EDR in block mode where you can.
• Restrict mounting .vhd(x) from untrusted or remote SMB sources, and block outbound SMB (TCP 445) to the internet.
• Lean on Attack Surface Reduction rules to cut down the initial access stage RoguePlanet chains from.
• Watch for a Microsoft out of band fix and apply it the moment it ships.

Because the exploit needs a local foothold first, hardening initial access (phishing, macros, drive by downloads) buys you real protection here, not just against this one tool.

The researcher behind it

RoguePlanet comes from a researcher operating as Nightmare Eclipse (also seen as Chaotic Eclipse or Dead Eclipse). Since early April 2026 they have dropped a sustained series of Windows and Defender zero-days, with names like RedSun, UnDefend, BlueHammer, GreenPlasma, YellowKey and MiniPlasma, several already patched by Microsoft. RoguePlanet landed within hours of June Patch Tuesday, the third month running the actor has timed a release to patch day. They have said openly that the releases are a protest against how Microsoft handled their disclosures and bug bounty decisions.

The fallout around it got messy. Microsoft suspended the researcher’s GitHub account and initially signalled it would pursue legal action, even raising the prospect of criminal referrals. After significant backlash from the security community, Microsoft walked that back in early June, clarifying it would not go after people conducting or publishing genuine security research, though the researcher has claimed Microsoft did file against them anyway. RoguePlanet was then republished from a fresh GitHub account, with mirrors on a self-hosted server, the researcher’s point being that once code is public it cannot be taken back.

The bigger picture

Strip away the drama and the lesson for defenders is familiar: a working SYSTEM level escalation is public, it runs on fully patched machines, and there is no CVE, advisory or fix yet. The window between public exploit and real abuse keeps shrinking, and “fully patched” is no longer the same thing as “safe.”

When the thing watching your endpoints becomes the thing being abused, your detection logic has to assume the tooling can be turned against you. Hunt on behavior, not on the green checkmark.

References

• SecurityWeek: securityweek.com/new-windows-zero-day-exploit-rogueplanet-released
• BleepingComputer: bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges
• ThreatLocker analysis: threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
• Picus Security, technique and detection: picussecurity.com/resource/blog/rogueplanet-anatomy-of-the-nightmare-eclipse-microsoft-defender-zero-day
• Cyderes Howler Cell: cyderes.com/howler-cell/rogueplanet-windows-zero-day