RoguePlanet turns Defender remediation into SYSTEM execution
The public RoguePlanet proof of concept abuses Microsoft Defender cleanup, reparse points, a shadow-copy race, and a privileged Windows Error Reporting task to replace wermgr.exe and obtain SYSTEM execution.
- 2026-07-17
- 7 min read
Operational layer / Use first
Detection & hunt kit
Deployable logic, required telemetry, and ATT&CK coverage. Expand an artifact without leaving the intelligence report.
01 / DetectionWindows Error Reporting Process Spawns a Command ShellDetects a Windows command shell launched by wermgr.exe, matching the successful RoguePlanet privilege-escalation outcome after Defender remediation replaces the Windows Error Reporting executable and a privileged scheduled task runs it.ATT&CK / T1068View detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1068
Required telemetry
- category
- process_creation
- product
- windows
title: Windows Error Reporting Process Spawns a Command Shell
id: 4bd28389-d5ce-40b7-bf12-9487267cdece
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects a Windows command shell launched by wermgr.exe, matching the successful RoguePlanet privilege-escalation outcome after Defender remediation replaces the Windows Error Reporting executable and a privileged scheduled task runs it.
references:
- https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
- https://github.com/MSNightmare/RoguePlanet
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\wermgr.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection_parent and selection_child
falsepositives:
- Crash-response or diagnostic tooling that intentionally uses Windows Error Reporting to launch a command interpreter
- Security testing that reproduces the RoguePlanet proof of concept in an isolated environment
level: high
tags:
- attack.privilege-escalation
- attack.t1068
related_publication: rogueplanet-defender-remediation-system-escalation
telemetry_assumptions:
- Endpoint process telemetry preserves full parent-child image paths, user context, integrity level, and process identifiers.
- Analysts can correlate the shell launch with recent Defender remediation, wermgr.exe file changes, scheduled-task execution, and activity from a low-privilege user session.
02 / Threat huntNon-Defender Process Loads MpClient DLLHunts for processes outside expected Microsoft Defender locations that load MpClient.dll. RoguePlanet invokes Defender APIs from its own process before combining virtual-disk mounting, shadow-copy monitoring, oplocks, reparse points, and a temporary Windows directory tree. The DLL load requires correlation and does not identify exploitation by itself.ATT&CK / T1068View detailsMinimize
- Use
- Threat hunt
- Confidence state
- experimental
- Priority
- medium
- Review after
- 2026-08-16
Required telemetry
- category
- image_load
- product
- windows
ATT&CK / T1068
title: Non-Defender Process Loads MpClient DLL
id: 76f7be0d-5354-4d98-8379-be53f39f1a32
status: experimental
author: FRAME ZERO
date: 2026-07-17
description: Hunts for processes outside expected Microsoft Defender locations that load MpClient.dll. RoguePlanet invokes Defender APIs from its own process before combining virtual-disk mounting, shadow-copy monitoring, oplocks, reparse points, and a temporary Windows directory tree. The DLL load requires correlation and does not identify exploitation by itself.
references:
- https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
- https://github.com/MSNightmare/RoguePlanet
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\MpClient.dll'
filter_defender_paths:
Image|contains:
- '\Microsoft Defender\'
- '\Windows Defender\'
- '\Windows Defender Advanced Threat Protection\'
filter_defender_engine:
Image|endswith:
- '\MsMpEng.exe'
- '\MpCmdRun.exe'
- '\NisSrv.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Endpoint security products, health checks, or administrative tools that call documented or internal Defender scanning interfaces
- Malware-analysis and exploit-reproduction systems that intentionally load MpClient.dll
level: medium
tags:
- attack.privilege-escalation
- attack.t1068
related_publication: rogueplanet-defender-remediation-system-escalation
telemetry_assumptions:
- Image-load telemetry captures the loading process, complete DLL path, signer, user, and timestamp.
- Analysts can correlate a match with read-only virtual-disk attachment, new shadow-copy devices, reparse-point changes, RP-prefixed temporary directories, Defender cleanup, and later wermgr.exe execution.
Analysis
Security researcher Nightmare Eclipse published RoguePlanet in June 2026 as a local privilege-escalation proof of concept for Microsoft Defender on Windows 10 and Windows 11. The code coerces Defender into remediating a crafted EICAR file, redirects the privileged file operation through a race condition, replaces C:\Windows\System32\wermgr.exe, and triggers a Windows Error Reporting task that runs the replacement as SYSTEM. Microsoft tracks the issue as CVE-2026-50656 and fixed it in Microsoft Malware Protection Engine version 1.1.26060.3008. The frozen evidence does not confirm exploitation against production victims.
The researcher reported successful testing on Windows 10 and Windows 11 with the June 2026 updates installed. The proof of concept does not run on Windows Server because standard users cannot mount the required ISO image. The repository claims that server editions remain vulnerable to a redesigned exploit, but Microsoft does not validate that claim in the supplied evidence.
A low-privilege process prepares Defender remediation
ThreatLocker's code analysis shows the proof of concept creating a temporary ISO that contains a file named wermgr.exe. That file is a ZIP archive containing the EICAR test string, which reliably causes Defender to classify it as malicious. The exploit mounts the ISO as read-only without a drive letter, loads MpClient.dll, and calls Defender scanning and cleanup interfaces including MpScanStart, MpThreatEnumerate, and MpCleanStart.
This first stage uses Defender's own remediation path as the privileged file-operation primitive. The attacker still needs local code execution as a standard user, and the exploit remains sensitive to timing because the path redirection must land while Defender is handling the crafted file.
Shadow copies, oplocks, and reparse points redirect the cleanup path
The proof of concept watches the Windows object namespace for a newly created HarddiskVolumeShadowCopy device. Once the shadow copy exposes a Windows directory, the code opens an alternate data stream named WDFOO and requests an oplock to delay Defender's file activity.
While that operation is held, RoguePlanet builds a false System32 tree below %TEMP%\RP_<GUID>. It repeatedly changes mount-point reparse data so the temporary directory resolves through the mounted ISO and the shadow-copy path at the required moment. The code uses native file-renaming, deletion, directory-enumeration, and reparse-point operations to control which path Defender reaches during cleanup.
ThreatLocker reports that the race has variable reliability. The researcher also describes inconsistent results across systems, although some test machines reached a claimed 100 percent success rate. These statements describe proof-of-concept behavior, not measured exploitation reliability in enterprise environments.
Defender cleanup replaces wermgr.exe before a privileged task runs
When the race succeeds, Defender's remediation writes the attacker's executable over C:\Windows\System32\wermgr.exe. RoguePlanet then connects to the Task Scheduler service and manually triggers \Microsoft\Windows\Windows Error Reporting\QueueReporting, a task that executes wermgr.exe with SYSTEM privileges.
The privileged copy connects back to the original process through \\.\pipe\RoguePlanet, identifies the user's interactive session, duplicates the SYSTEM token, and launches a console in that session. The operational result is a SYSTEM shell from code that began under a standard user account.
Durable detection covers the successful privilege transition
The included durable Sigma rule detects wermgr.exe launching cmd.exe, Windows PowerShell, or PowerShell 7. RoguePlanet's successful path executes the replacement wermgr.exe as SYSTEM and uses the privileged token to open a shell. That parent-child relationship is narrow enough for alerting and avoids reliance on the proof-of-concept filename, pipe name, temporary directory, or other changeable strings.
The rule requires complete endpoint process telemetry. Analysts should confirm the parent image path, SYSTEM integrity, scheduled-task execution, recent changes to wermgr.exe, and Defender remediation immediately before the shell. Diagnostic or crash-response tooling can create unusual Windows Error Reporting process trees, so the rule should not trigger containment from the child process alone.
The experimental hunt looks for MpClient.dll loaded by a process outside expected Defender locations. That behavior occurs early in the published exploit and can expose modified variants before the final shell, but it is broader and may match security tools that call Defender interfaces. Correlation should include virtual-disk attachment without a drive letter, new shadow-copy devices, reparse-point changes, RP_ temporary directories, or the WDFOO alternate data stream.
Patch verification and response priorities
Microsoft fixed CVE-2026-50656 in Malware Protection Engine version 1.1.26060.3008. Malwarebytes reports that version 1.1.26050.11 and earlier remain vulnerable, while Defender normally updates its engine automatically. Enterprise teams should verify the engine version across managed Windows fleets instead of assuming that definition-update policy proves deployment.
Application control can reduce exposure by blocking unsigned or unapproved executables from user-writable locations. Path-only allow rules are weaker here because the proof of concept places attacker-controlled content at a trusted Windows filename. Publisher, signature, and approved-hash controls provide a stronger boundary than trust based on C:\Windows alone.
If telemetry indicates the exploit sequence, isolate the endpoint, collect the current wermgr.exe hash and signer, preserve scheduled-task and Defender operational logs, and review local administrator and SYSTEM-level activity after the suspected race. A successful exploit gives the attacker the privileges needed to disable controls, establish persistence, and access protected data, but those follow-on actions are outside the behavior demonstrated by the frozen evidence.
Scope and limitations
The evidence strongly supports the proof-of-concept mechanism, the SYSTEM result on tested Windows 10 and 11 systems, the CVE assignment, and the patched engine boundary. It does not establish active exploitation, a victim set, or a campaign. Claims about Windows Server remain researcher assessment because the supplied proof of concept does not execute there and the frozen vendor record does not confirm server impact.
The durable detection covers the final parent-child process relationship. It can miss variants that launch another payload, inject into an existing process, or avoid a visible shell. The hunt depends on image-load visibility and analyst correlation; many environments do not retain DLL loads, reparse-point changes, shadow-copy device events, or complete Defender cleanup telemetry.
The artifact table reflects the published implementation and can age quickly as exploit code changes. None of those values should be treated as proof of compromise without local sequence and timing evidence.
Reported IOCs
View detailsMinimize
The source labels the following values as indicators, artifacts, API names, or path patterns from the public proof of concept. They were published as research artifacts rather than observed attacker infrastructure, and the sources provide no per-value observation timestamps. Treat them as implementation-specific historical pivots and validate signer, path, process lineage, and local event timing before response action. Entries containing <GUID>, <temp path>, or * are patterns rather than exact observed paths.
| Value | Type | Context |
|---|---|---|
MpManagerOpen | Defender API | Opens a Defender manager handle from the proof-of-concept process |
MpScanStart | Defender API | Starts the crafted-file scan |
MpScanResult | Defender API | Reads the scan result |
MpThreatOpen | Defender API | Opens threat information |
MpThreatEnumerate | Defender API | Enumerates the detected EICAR threat |
MpCleanOpen | Defender API | Opens the cleanup operation |
MpCleanStart | Defender API | Starts Defender remediation |
OpenVirtualDisk | Windows API | Opens the temporary ISO |
AttachVirtualDisk | Windows API | Attaches the ISO without a drive letter |
ATTACH_VIRTUAL_DISK_FLAG_READ_ONLY | API flag | Mounts the crafted ISO read-only |
ATTACH_VIRTUAL_DISK_FLAG_NO_DRIVE_LETTER | API flag | Prevents drive-letter assignment |
%TEMP%\RP_<GUID> | Directory pattern | Temporary exploit root |
%TEMP%\RP_<GUID>\wdtest_temp | Directory pattern | Temporary path used during redirection |
%TEMP%\RP_<GUID>\System32\wermgr.exe | File pattern | False System32 target below the temporary root |
%TEMP%\RP_<GUID>\System32\wermgr.exe:WDFOO | ADS pattern | Alternate data stream used with the oplock sequence |
\Device\HarddiskVolumeShadowCopy*\<temp path>\System32\wermgr.exe:WDFOO | Path pattern | Shadow-copy ADS pivot |
RoguePlanet.exe | Filename | Proof-of-concept executable name |
\\.\pipe\RoguePlanet | Named pipe | Connects the privileged and original processes |
MpClient.dll | DLL | Loaded by the proof of concept to invoke Defender interfaces |
Virtdisk.dll | DLL | Supports the virtual-disk operations |
WDFOO | String | Alternate data stream name embedded in the proof of concept |
EICAR | String | Test signature used to trigger Defender detection |
C:\Users\user\source\repos\ScanMan\x64\Release\RoguePlanet.pdb | PDB path | Build path reported in the binary strings |
C:\Windows\System32\wermgr.exe | File path | Privileged Windows Error Reporting executable replaced after a successful race |
\Microsoft\Windows\Windows Error Reporting\QueueReporting | Scheduled task | Privileged task manually triggered after replacement |
Sources
Evidence register- Microsoft Defender zero-day RoguePlanet grants SYSTEM privilegesresearch
- GitHub - MSNightmare/RoguePlanet: RoguePlanet Windows Defender Vulnerabilityprimary
- NVD - CVE-2026-50656primary
- Microsoft fixes RoguePlanet zero-day in Defenderresearch
- Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privilegessecondary