Back to Intelligence

Microsoft Defender Zero-Day: Detecting SAM Database Access and NTLM Hash Theft

SA
Security Arsenal Team
April 23, 2026
5 min read

Introduction

A critical security vulnerability has been identified in Microsoft Defender, turning the organization's primary antivirus defense into an attack vector. This unpatched flaw allows attackers to leverage Defender's high privileges to access the Security Account Manager (SAM) database, extract NTLM hashes, and escalate to System-level privileges.

For defenders, this is a nightmare scenario: the exploit runs within the context of a trusted, signed Microsoft system process. Standard allow-listing and trust models fail here because the malicious actions originate from MpMpEng.exe or associated kernel drivers. Immediate action is required to detect potential exploitation and mitigate the risk of credential dumping until a patch is widely deployed.

Technical Analysis

  • Affected Products: Microsoft Defender (Windows 10, Windows 11, Windows Server 2016+).
  • Vulnerability Type: Privilege Escalation / Information Disclosure.
  • Mechanism: The flaw exists in how specific components of Microsoft Defender (likely a kernel driver or the central service process) handle file system operations or IOCTL interactions. An attacker with initial access (e.g., standard user or malicious service) can invoke these vulnerable components.
  • Attack Chain:
    1. Attacker executes code on the target (low privileges).
    2. Attacker triggers the vulnerability in Defender, forcing the trusted process (running as NT AUTHORITY\SYSTEM) to perform malicious actions on the attacker's behalf.
    3. The Defender process reads the protected SAM database (C:\Windows\System32\config\SAM) or the live registry hive HKLM\SAM.
    4. NTLM hashes are extracted and exfiltrated or used for Pass-the-Hash attacks.
  • Exploitation Status: Confirmed zero-day exploitation in the wild. This is not theoretical; active threat actors are abusing this mechanism.

Detection & Response

Detecting this vulnerability is challenging because the activity originates from a signed, trusted binary. You cannot block MsMpEng.exe without crippling your defense infrastructure. Therefore, detection logic must focus on the abnormal behavior of the Defender process or the outcome (credential theft).

SIGMA Rules

YAML
---
title: Potential SAM Database Access by Microsoft Defender
id: 9c8d2f1a-3b4e-4c5d-9e6f-1a2b3c4d5e6f
status: experimental
description: Detects Microsoft Defender processes accessing the SAM database file or registry hive, which is highly unusual behavior indicative of an exploit attempt or CVE abuse.
references:
  - https://attack.mitre.org/techniques/T1003/002/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.credential_access
  - attack.t1003.002
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith: '\MsMpEng.exe'
    TargetFilename|contains:
      - '\config\SAM'
      - '\config\SYSTEM'
  condition: selection
falsepositives:
  - Unknown (Legitimate Defender scans should not access raw SAM files directly)
level: critical
---
title: Suspicious Registry Access to SAM Hive
id: b4e3c2d1-5a6f-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects attempts to read the SAM registry hive. While System account does this, monitoring the specific threads or calling processes (if EDR telemetry allows) is crucial. This rule looks for direct registry key handle creation requests.
references:
  - https://attack.mitre.org/techniques/T1003/002/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.credential_access
  - attack.t1003.002
logsource:
  category: registry_access
  product: windows
detection:
  selection:
    TargetObject|contains: 'HKLM\SAM'
  filter_legit_os:
    Image|endswith:
      - '\lsass.exe'
      - '\services.exe'
      - '\wininit.exe'
  condition: selection and not 1 of filter_legit_os
falsepositives:
  - Legacy backup software
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for file access events where the Defender service image touches the SAM configuration files.

KQL — Microsoft Sentinel / Defender
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActingProcessFileName =~ "MsMpEng.exe"
| where FileName has "SAM" 
| whereFolderPath contains "\\System32\\config"
| project Timestamp, DeviceName, ActingProcessFileName, FileName, FolderPath, InitiatingProcessAccountName, AdditionalFields
| order by Timestamp desc

Velociraptor VQL

Use this artifact to hunt for open handles to the SAM file. This is a high-fidelity check on endpoints.

VQL — Velociraptor
-- Hunt for handles open to the SAM database
SELECT Pid, Process.Name, Process.CommmandLine, Handle.Name, Handle.Type
FROM glob(globs="*/")
WHERE Handle.Name =~ "\\\\System32\\\\config\\\\SAM"
  AND NOT Process.Name =~ "lsass.exe"
  AND NOT Process.Name =~ "services.exe"

Remediation Script (PowerShell)

Use this script to identify vulnerable Defender component versions and verify if the patch has been applied. Note: Replace the SafeVersion variable with the specific version number provided in the official Microsoft advisory once available.

PowerShell
# Check Microsoft Defender Driver Versions for Known Vulnerability
# Requires Administrator Privileges

Write-Host "[+] Checking Microsoft Defender Component Versions..." -ForegroundColor Cyan

# Check MpEngine version
$mpEnginePath = "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpEngine.dll"
if (Test-Path $mpEnginePath) {
    $latestMpEngine = Get-ChildItem $mpEnginePath | Sort-Object LastWriteTime -Descending | Select-Object -First 1
    $versionInfo = $latestMpEngine.VersionInfo.FileVersion
    Write-Host "    MpEngine.dll Version: $versionInfo" -ForegroundColor Yellow
} else {
    Write-Host "    [-] MpEngine.dll not found in standard path." -ForegroundColor Red
}

# Check the core driver (wd.sys) often involved in kernel exploits
$driverPath = "C:\Windows\System32\drivers\wd.sys"
if (Test-Path $driverPath) {
    $driverInfo = (Get-Item $driverPath).VersionInfo.FileVersionRaw
    Write-Host "    wd.sys Version: $driverInfo" -ForegroundColor Yellow

    # EXAMPLE LOGIC: Replace with actual safe version from MS Advisory
    # For demonstration, we assume 4.18.23000.0 is the safe version.
    # Update this logic based on the specific CVE release.
    # if ($driverInfo -lt "4.18.23000.0") { 
    #    Write-Host "    [!] VULNERABLE VERSION DETECTED." -ForegroundColor Red 
    # }
}

Write-Host "[+] Recommendation: Ensure 'Microsoft Defender Antivirus' updates are installed via Windows Update or Intune immediately." -ForegroundColor Green

Remediation

  1. Apply Patches Immediately: Monitor Windows Update and Microsoft Security Advisory (e.g., ADV24000X) for the patch addressing this specific SAM access vulnerability. Prioritize updating the Defender Antivirus platform components (MpEngine and kernel drivers).
  2. Review Defender Exclusions: Ensure that no broad path exclusions exist that could allow an attacker to place a malicious DLL in a path scanned or loaded by Defender.
  3. Restrict Local Admin Privileges: While this vulnerability escalates to System, it often requires initial code execution. Aggressively reducing local administrator rights hinders the attacker's ability to trigger the exploit.
  4. Network Segmentation: Prevent lateral movement using NTLM hashes by enforcing SMB signing and restricting NTLM usage across the network.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoft-defendersam-databasentlm-hashes

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action