RoguePlanet Windows Zero-Day Turns Microsoft Defender Into an Exploitation Tool

A newly disclosed Windows zero-day dubbed RoguePlanet abuses Microsoft Defender’s own quarantine process to give an ordinary user the highest level of control over a Windows 11 machine.

Cyderes researchers said they reproduced the local privilege escalation exploit on a fully patched Windows 11 Pro system. The attack requires no administrator rights, kernel vulnerability or memory corruption. Instead, it chains together legitimate Windows features, including Defender scans, NTFS directory junctions, opportunistic file locks, Volume Shadow Copy and a Windows Error Reporting task that runs as SYSTEM.

The exploit manipulates Defender into creating a SYSTEM-owned quarantine file inside a location controlled by the attacker. RoguePlanet then replaces that file with its own payload and redirects the path used by the Windows Error Reporting service, causing the malicious binary to execute with SYSTEM privileges.

The proof-of-concept was published June 10 under the MSNightmare alias. It is reportedly the seventh Windows exploit released by the researcher associated with the Nightmare-Eclipse cluster in roughly 10 weeks.

Microsoft Defender currently detects the published binary as Exploit:Win32/DfndrRugPlnt.BB. Cyderes warned that the signature targets the compiled sample rather than the underlying attack technique, allowing minor code changes to bypass static detection.

Until Microsoft releases a complete fix, security teams should monitor for RoguePlanet’s named pipe, unusual temporary System32 directories, suspicious wermgr.exe activity and non-system processes enumerating Volume Shadow Copy devices.