Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The repository contained RoguePlanet, a seventh Windows local privilege escalation exploit targeting Microsoft Defender.
RoguePlanet was originally built as arbitrary code execution, abusing Defender's handling of files on remote SMB shares served from attacker-controlled .vhd(x) images. A mid-May Defender engine update changed the mpengine!SysIO* APIs and closed that path, so the published version is a local privilege escalation.
The repository contained RoguePlanet, a seventh Windows local privilege escalation exploit targeting Microsoft Defender.
The repository contained RoguePlanet, a seventh Windows local privilege escalation exploit targeting Microsoft Defender.
16 distinct techniques documented for this family, organized by ATT&CK tactic.
The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on all standard Windows installations, runs under the SYSTEM account, and can be triggered programmatically by an unprivileged user.
The WER QueueReporting scheduled task runs as SYSTEM and can be triggered by an unprivileged user via the Task Scheduler COM interface... When the WER task fires, it executes what it believes is a legitimate system binary at a legitimate system path.
Because the tool allows immediate shell command entry, enterprise protection teams face an immediate challenge.
If successful, the exploit spawns a command shell running under SYSTEM-level privileges, which would give an attacker complete access to a compromised Windows machine.
The named pipe RoguePlanet is created immediately after and kept open for the lifetime of the process. It serves as the success signal channel... the elevated payload calls back through this pipe.
If it is already running as SYSTEM, it takes the payload path: connecting to the named pipe \\.\pipe\RoguePlanet... The named pipe RoguePlanet is a stable, observable artifact present on the system for the entire duration of the exploit run.
The objective of RoguePlanet is straightforward: cause a SYSTEM-level scheduled task to execute an attacker-controlled binary... After this operation, the path %TEMP%\RP_\System32\wermgr.exe resolves transparently through the junction to what appears to be C:\Windows\System32\wermgr.exe.
The vulnerability emerges from the gap between when Defender creates a quarantine artifact and when it validates where that artifact actually landed. During that gap, the exploit redirects the landing zone, overwrites the artifact with its own binary, and then redirects the execution path to match.
The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on all standard Windows installations, runs under the SYSTEM account, and can be triggered programmatically by an unprivileged user.
The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on all standard Windows installations, runs under the SYSTEM account, and can be triggered programmatically by an unprivileged user.
All working artifacts are atomically renamed to random UUID-named paths using NtSetInformationFile with FileRenameInformationEx, preserving the open handles while freeing the original paths.
This analytic story groups detections that surface alternate data stream abuse, suspicious Defender-adjacent file activity, and privilege escalation patterns consistent with RoguePlanet and similar Windows Defender bypass research.
The task executes wermgr.exe at the System32 path, which resolves to the attacker payload. The exploit binary launches as SYSTEM, connects back to the orchestrator, and spawns a shell.
The binary is self-referential. One IsRunningAsLocalSystem check at entry switches between unprivileged orchestrator and SYSTEM payload.
The following analytic detects the wermgr.exe process creating an alternate stream in the temp directory... Such activity is significant as it may indicate RoguePlanet malware, which creates an alternate stream in the temp directory to execute malicious code.
The objective of RoguePlanet is straightforward: cause a SYSTEM-level scheduled task to execute an attacker-controlled binary... After this operation, the path %TEMP%\RP_\System32\wermgr.exe resolves transparently through the junction to what appears to be C:\Windows\System32\wermgr.exe.
The vulnerability emerges from the gap between when Defender creates a quarantine artifact and when it validates where that artifact actually landed. During that gap, the exploit redirects the landing zone, overwrites the artifact with its own binary, and then redirects the execution path to match.
While Defender is paused by the oplock, the System32 directory handle is converted to a reparse point junction targeting the mounted ISO... the junction is swapped again so System32 now points to wdtest_temp... The root working directory %TEMP%\RP_<UUID> is then converted into a reparse point junction targeting C:\Windows.
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RoguePlanet is described as malware that creates an alternate data stream in the temp directory to execute malicious code, potentially leading to further malware infections, data exfiltration, or system compromise.
A Defender-focused exploit/tool in the same cluster that originally enabled arbitrary code execution and later functioned as a local privilege escalation to SYSTEM; discussed as part of the broader operator toolkit chain.
A Windows local privilege escalation exploit that abuses Microsoft Defender’s scan/quarantine pipeline, NTFS junctions, opportunistic locks, Volume Shadow Copy, and the WER QueueReporting scheduled task to escalate from an unprivileged user to NT AUTHORITY\SYSTEM without a kernel bug or memory corruption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.