A standard user should not be able to turn Microsoft Defender cleanup into a SYSTEM shell. RoguePlanet is interesting because the public proof-of-concept appears to do exactly that by racing Defender’s remediation path, not by exploiting a browser, a driver, or a traditional memory corruption bug.

This is another chapter in the Nightmare Eclipse sequence: BlueHammer, RedSun, YellowKey, and now RoguePlanet. The pattern is no longer subtle. The researcher is probing the trust boundaries around Windows security components and publishing working code when those boundaries fail.

TL;DR

  • RoguePlanet is a public C++ proof-of-concept published by Nightmare Eclipse on June 9, 2026.
  • The repository describes it as a Windows Defender vulnerability and says successful exploitation spawns a SYSTEM shell.
  • The README says the PoC was tested on Windows 10 and Windows 11 with the June 2026 patch installed.
  • Local code review points to a race condition around Defender scanning/remediation, Volume Shadow Copy access, oplocks, NTFS reparse point swaps, a read-only ISO mount, and the Windows Error Reporting QueueReporting scheduled task.
  • There is no public CVE or Microsoft advisory at the time of writing, so strong claims about affected versions, patch status, and Windows Server impact should be treated as unconfirmed.

What Was Published

Nightmare Eclipse published a RoguePlanet repository on Project NightCrawler on June 9, 2026. The repository contains a README, C++ source, a compiled executable, and a screenshot. The README calls it a “Windows Defender Vulnerability” and says the exploit is a race condition with variable reliability.

The researcher’s own compatibility claim is specific but not independently confirmed: Windows 10, Windows 11 official builds, and Windows 11 Canary with the June 2026 patch installed. The README also claims Windows Server is vulnerable, but says the current PoC does not work there because standard users cannot mount an ISO image. That distinction matters. “Vulnerable” and “this PoC works as published” are not the same statement.

The companion blog post gives more context. Nightmare Eclipse says earlier RoguePlanet development included scenarios involving Defender, VHD/VHDX files, remote SMB, symlink evaluation, and a possible BitLocker bypass path. The post also says Microsoft changed mpengine!SysIO* behavior after mid-May, breaking junction-based variants and forcing a rewrite. That is the researcher’s account, not a Microsoft-confirmed timeline.

As of June 10, 2026, I found no public MSRC advisory, CVE record, or Microsoft acknowledgment for RoguePlanet. Treat it as a public PoC with credible technical substance and incomplete external validation.

Why This Is Not Just Another LPE

Local privilege escalation bugs are common. Defender LPE bugs are different because they sit inside a component that enterprises explicitly trust to inspect hostile input.

Security software has to parse suspicious files, quarantine them, clean them, restore them, and report on them. Those operations happen with high privilege and often touch attacker-controlled paths. If the engine follows a path once, then later acts on what it believes is the same path after the filesystem view has changed, a low-privileged attacker may get a time-of-check/time-of-use window.

That is the theme running through BlueHammer, RedSun, and RoguePlanet: make a trusted security component perform a privileged file operation on the attacker’s behalf.

RoguePlanet’s public code appears to combine several Windows primitives:

PrimitiveDefensive meaning
Defender scan and cleanup APIsThe exploit path intentionally causes Defender to inspect and act on a test file.
Volume Shadow Copy accessThe PoC appears to open the target stream through a VSS snapshot path to hold a useful read view during the race.
OplocksThe code tries to pause file access at useful timing points to win a race. The first oplock is tied to the :WDFOO alternate data stream through the shadow-copy path, not simply to the live file path.
NTFS reparse points / junctionsThe working directory target can be swapped underneath a privileged operation.
Alternate data streamsThe PoC uses stream syntax as part of the file state Defender interacts with.
Read-only ISO attachmentThe code mounts an ISO without a drive letter and uses it as part of the path manipulation strategy.
Windows Error Reporting scheduled taskThe PoC triggers QueueReporting under \Microsoft\Windows\Windows Error Reporting.
Named pipe handoffThe elevated path communicates back through \\.\pipe\RoguePlanet.

None of those primitives is inherently malicious. That is exactly why the chain is useful to attackers and difficult for defenders. It does not begin with an unsigned kernel driver or a suspicious service install. It begins with Windows doing Windows things.

The Attack Shape

At a high level, RoguePlanet appears to create a temporary working area, place a file that Defender will detect, trigger a Defender scan, and then race the cleanup path. The code uses filesystem timing, Volume Shadow Copy access, and reparse point changes to influence where privileged operations land.

One detail matters for defenders: the first oplock is not just placed on the live file. The PoC looks for a Volume Shadow Copy path and opens the wermgr.exe:WDFOO alternate data stream through that snapshot path before requesting an oplock. That gives the exploit a stable read-side handle while the live filesystem view is being manipulated. If you are hunting for this class of behavior, VSS activity near Defender remediation is part of the signal.

The PoC also mounts an embedded ISO through the Windows virtual disk API. Microsoft documents AttachVirtualDisk as the API used to attach VHD or ISO images through a VHD provider. RoguePlanet uses the ISO path as a read-only filesystem element in the race rather than relying on a simple writable directory.

The final stage appears to involve the Windows Error Reporting scheduled task named QueueReporting. Microsoft documents Task Scheduler as a component that monitors configured criteria and executes tasks when their triggers are met. RoguePlanet uses the Task Scheduler COM API to retrieve and run the existing task, then uses the path state it prepared earlier to get code execution as SYSTEM.

That is the important defensive takeaway: this is not just “Defender scanned a file.” It is a sequence where Defender activity, filesystem redirection, virtual disk attachment, and a trusted scheduled task occur close together.

What Is Confirmed, Claimed, and Inferred

StatementStatus
A public RoguePlanet repository exists with C++ source and a compiled executable.Confirmed from the Project NightCrawler repository.
The README says successful exploitation spawns a SYSTEM shell.Confirmed as the author’s claim.
The README says the PoC was tested on Windows 10 and Windows 11 with June 2026 patches.Confirmed as the author’s claim.
The code references Defender registry state, MpClient.dll, scan and cleanup flows, Volume Shadow Copy paths, reparse points, ISO mounting, QueueReporting, and \\.\pipe\RoguePlanet.Confirmed from local source review.
All Windows Server versions are vulnerable.Unconfirmed; the README claims this, but the published PoC reportedly does not work as-is on Server.
Microsoft silently patched earlier RoguePlanet variants in mpengine!SysIO*.Unconfirmed; this is from the researcher’s blog post.
RoguePlanet has a CVE or official mitigation.Not found as of June 10, 2026.

This is the standard we should use until Microsoft, MSRC, or an independent reverse-engineering report publishes more detail.

Detection Ideas

There is no single IoC that will age well. Focus on behavior and correlation.

Defender Events

Microsoft documents Defender events under:

Applications and Services Logs
Microsoft
Windows
Windows Defender
Operational

For RoguePlanet-style testing or exploitation, investigate tight clusters of:

Event IDWhy it matters
1000Defender scan started.
1001Defender scan completed.
1006 / 1116Malware or unwanted software detected.
1007 / 1117Defender action taken.
1008Defender action failed. Race-condition exploits often create unusual failures or retries.
1015Suspicious behavior detected.

The path is the key. A Defender detection involving a recently created %TEMP%\RP_* directory, wermgr.exe, alternate data stream syntax, or unexpected Windows temp files should not be dismissed as ordinary EICAR noise.

Filesystem Signals

Hunt for a low-privileged process that creates or manipulates:

%TEMP%\RP_*
%TEMP%\RP_*\System32\
%TEMP%\RP_*\wdtest_temp\
wermgr.exe
wermgr.exe:WDFOO
\\.\pipe\RoguePlanet

Also look for fast reparse point changes under temporary directories. Microsoft describes reparse points as user-defined filesystem data interpreted by a filesystem filter; junctions and mounted folders are normal uses of that mechanism. In this context, repeated creation and deletion of mount-point reparse data around Defender activity is the suspicious part.

Virtual Disk and ISO Activity

The published code uses the Windows virtual disk API and attaches an ISO read-only without assigning a drive letter. On developer workstations this may be normal; on standard user endpoints directly adjacent to Defender remediation it is not.

Useful telemetry includes:

  • process image calling OpenVirtualDisk or AttachVirtualDisk
  • .iso creation under %TEMP%
  • virtual disk attach without a drive letter
  • virtual disk attach followed by Defender detection and Task Scheduler execution

Volume Shadow Copy Activity

RoguePlanet’s race setup appears to involve a shadow-copy path before the live directory target is swapped. That means VSS should be part of the correlation window, even though VSS is not malicious on its own.

Useful telemetry includes:

  • unexpected access to \Device\HarddiskVolumeShadowCopy* paths by a non-administrative process
  • shadow-copy path access involving %TEMP%\RP_*, wermgr.exe, or :WDFOO
  • VSS path access followed by Defender cleanup events, reparse point changes, or QueueReporting execution

Task Scheduler

Watch for manual or programmatic execution of:

\Microsoft\Windows\Windows Error Reporting\QueueReporting

This task can run legitimately. The detection should be correlation-based: QueueReporting execution shortly after Defender scan/remediation events, reparse point changes, ISO attach, and creation of a named pipe called RoguePlanet.

Microsoft Defender for Endpoint Advanced Hunting

The exact schema available varies by tenant and sensor configuration, but the following pattern is the shape to model:

let lookback = 24h;
DeviceFileEvents
| where Timestamp > ago(lookback)
| where FolderPath has @"\AppData\Local\Temp\RP_"
   or FileName =~ "wermgr.exe"
   or FolderPath has ":WDFOO"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, ActionType
| order by Timestamp desc

Pair that with scheduled task telemetry and process creation around conhost.exe, wermgr.exe, and any unsigned executable running from a temp-created working path.

What Defenders Should Do Now

Do not wait for a CVE to start monitoring. A public PoC with compiled binary included changes the risk profile even before formal vendor language lands.

For endpoint teams:

  • Make sure Defender operational events are collected centrally, not left only on the endpoint.
  • Alert on Defender detections and actions involving %TEMP%\RP_*, ADS syntax, or unexpected wermgr.exe locations.
  • Correlate VSS path access with Defender scan/remediation activity, especially when the path resolves back to user-writable temp content.
  • Alert on standard users mounting ISO files through suspicious parent processes.
  • Correlate Windows Error Reporting scheduled task execution with Defender cleanup events.
  • Watch for named pipe creation matching \\.\pipe\RoguePlanet.

For hardening teams:

  • Review whether standard users need ISO mount capability on managed endpoints.
  • Enforce least privilege and application control for untrusted executables in user-writable directories.
  • Keep Defender platform and engine updates current; this class of bug is often fixed in engine/platform updates, not only monthly OS cumulative updates.
  • Treat public Defender LPE PoCs as post-exploitation accelerators. They matter most after phishing, malicious package install, browser compromise, or local code execution.

For incident responders:

  • If RoguePlanet is suspected, preserve Defender Operational logs, Task Scheduler Operational logs, file system artifacts under %TEMP%, and MDE timeline data before cleanup.
  • Do not rely only on whether the exploit binary remains on disk. The interesting evidence is the sequence of filesystem and trusted-component operations.
  • Check for follow-on actions after SYSTEM execution: new local admins, credential dumping, LSASS access, tampering with security tools, and persistence.

The Bigger Pattern

RoguePlanet is not important only because it may give a local user SYSTEM. It is important because it reinforces a pattern: the defensive layer itself is becoming the privilege boundary attackers target.

BlueHammer and RedSun focused attention on Defender file handling. YellowKey moved the discussion into WinRE and BitLocker. RoguePlanet brings the story back to Defender, but with a more complex chain: scan, clean, shadow-copy-backed filesystem race, virtual disk, scheduled task, SYSTEM execution.

The practical lesson is direct. Defenders should monitor trusted Microsoft components by behavior, not reputation. MsMpEng.exe, Windows Error Reporting, Task Scheduler, virtual disk APIs, and NTFS reparse points are normal. Their combination, timing, and path context are what turn normal into exploit telemetry.

Until Microsoft publishes an advisory or independent researchers reproduce the chain across versions, keep the wording precise: RoguePlanet is a public, technically credible PoC with author-claimed June 2026 patch coverage. It is not yet a fully documented CVE.

That is enough to hunt.

Sources