<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:2.4pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Aptos",sans-serif;
color:#0F4761;
font-style:italic;}
span.first-word1
{mso-style-name:first-word1;
font-weight:bold;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:497774646;
mso-list-template-ids:642394426;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:871459353;
mso-list-template-ids:833359594;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1323045977;
mso-list-type:hybrid;
mso-list-template-ids:-1506352004 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1975207927;
mso-list-template-ids:905195962;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Good morning,<o:p></o:p></span></p>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The SOC Services team is reporting on the vulnerability:
<b>CVE-2026-33825</b></span><b><span lang="EN" style="font-family:"Calibri",sans-serif">:<span style="color:black"> Microsoft Defender Insufficient Granularity of Access Control Vulnerability</span></span></b><span lang="EN" style="font-family:"Calibri",sans-serif">.
<span style="color:black">Due to active exploitation of the vulnerability and knowledge of the software in the state environment, we are providing this in-depth information.
<o:p></o:p></span></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">History:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> Publicly disclosed on April 14, 2026, as part of Microsoft's Patch Tuesday,
following a zero-day leak by researcher 'Chaotic Eclipse'. The CVSS v3.x base score is 7.8 (HIGH).</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext;font-weight:normal">
<o:p></o:p></span></h4>
<h4><i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red">**</span></i><i><span lang="EN" style="color:red">
</span></i><i><span style="color:red">N</span></i><i><span style="font-family:"Calibri",sans-serif;color:red">OTE: This vulnerability requires AGENCY/BOARD/COMISSION action as it is NOT remediated at the tenant level.</span></i><i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red"><o:p></o:p></span></i></h4>
<h4 style="margin-top:0in"><span lang="EN" style="color:windowtext"><o:p> </o:p></span></h4>
<h4 style="margin-top:0in"><span lang="EN" style="font-family:"Calibri",sans-serif">Affected Versions<o:p></o:p></span></h4>
<ul style="margin-top:0in" type="disc" id="affectedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo1">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">Last version of the Microsoft Defender Antimalware Platform affected by this vulnerability: Version 4.18.26020.6</span><span lang="EN" style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li></ul>
<h4 style="margin-top:0in"><span lang="EN" style="font-family:"Calibri",sans-serif">Fixed Versions<o:p></o:p></span></h4>
<ul style="margin-top:0in" type="disc" id="fixedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">First version of the Microsoft Defender Antimalware Platform with this vulnerability addressed: Version 4.18.26030.3011</span><span lang="EN" style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li></ul>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Vendor Advisory:
<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825">Microsoft Defender Elevation of Privilege Vulnerability</a><o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Intelligence:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> On April 22, 2026, CISA confirmed the vulnerability in the Known Exploited
Vulnerabilities Catalog.<o:p></o:p></span></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Exploitability:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> Local<br>
<strong><span style="font-family:"Calibri",sans-serif">Complexity:</span></strong> Low<br>
<strong><span style="font-family:"Calibri",sans-serif">User Interaction:</span></strong> None<br>
<strong><span style="font-family:"Calibri",sans-serif">Remotely Exploitable:</span></strong> No (Local access required)<br>
<strong><span style="font-family:"Calibri",sans-serif">Proof of Concept:</span></strong> Publicly Available (GitHub - BlueHammer)<br>
<strong><span style="font-family:"Calibri",sans-serif">Zero Day:</span></strong> Yes
<o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Workarounds:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> Restrict local logon rights to trusted users; Monitor for unauthorized
use of NTFS junctions and symbolic link creation by low-privilege users</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext;font-weight:normal">.</span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">How it Works:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> The exploit targets the Defender signature update process. An attacker
uses an 'opportunistic lock' (oplock) on a directory Defender is about to read. When Defender attempts to access the file, the oplock pauses the operation. The attacker then replaces the legitimate file with an NTFS junction pointing to a protected system
file (e.g., C:\Windows\System32\config\SAM). Defender resumes the operation with SYSTEM privileges, reads the sensitive file, and inadvertently caches or logs the contents in a location accessible to the user</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext;font-weight:normal">.</span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Post-Exploit Impact:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<ul type="disc" id="postExploitImpactList">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
<span lang="EN" style="font-family:"Calibri",sans-serif">Extraction of NTLM hashes from the SAM database (CWE-1220 (Insufficient Granularity of Access Control))<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
<span lang="EN" style="font-family:"Calibri",sans-serif">Full SYSTEM-level shell access and credential theft (CWE-367 (TOCTOU Race Condition))<o:p></o:p></span></li></ul>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Indicators of Compromise (IoCs):</span></span><span lang="EN" style="color:windowtext;font-weight:normal"><o:p></o:p></span></h4>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="75%" style="width:75.86%;border-collapse:collapse">
<thead>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Type<o:p></o:p></span></b></p>
</td>
<td width="31%" style="width:31.38%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Value<o:p></o:p></span></b></p>
</td>
<td width="36%" style="width:36.24%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Description / Notes<o:p></o:p></span></b></p>
</td>
<td width="18%" style="width:18.7%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Source<o:p></o:p></span></b></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Filename<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">BlueHammer.exe<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Common compiled exploit binary name from leaked PoC<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">GitHub / Threat Research<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">File Name<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">FunnyApp.exe<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Alternate name used in real-world staging of the exploit<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">SOC Prime / Huntress<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">File Hash (SHA256)<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">e3b0c442... (Example)<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Monitor for hashes associated with the "Nightmare-Eclipse" GitHub repository.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Threat Intel Feeds<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">AV Detection<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Exploit:Win32/DfndrPEBluHmr.BB<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Microsoft Defender signature specifically for the BlueHammer PoC.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Microsoft / Cyderes<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Registry Path<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">\HarddiskVolumeShadowCopy*<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Unusual enumeration of VSS snapshots by non-system processes.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Cyderes<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Registry Key<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">HKLM\SAM\SAM\Domains\Account\Users<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Unauthorized access to this key by Defender processes triggered by non-admin users<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">SentinelOne<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Process Activity<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">cmd.exe<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Spawned from a temporary Windows Service with SYSTEM integrity.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Help Net Security<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Event ID<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">4672<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">"Special privileges assigned to new logon" associated with unexpected SYSTEM access.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">SentinelOne<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Behavioral<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">SamiChangePasswordUser<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">API calls to forcefully change the local Administrator password.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Cyderes<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="13%" style="width:13.68%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Behavioral<o:p></o:p></span></p>
</td>
<td width="31%" style="width:31.38%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">LogonUserEx<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.24%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Rapid login/logout activity for the local Administrator account.<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.7%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Field Effect<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Tenable Plugins:</span></span><u><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext"><o:p></o:p></span></u></h4>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="75%" style="width:75.86%;border-collapse:collapse">
<thead>
<tr>
<td width="10%" style="width:10.94%;border:solid #CCCCCC 1.0pt;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Plugin ID<o:p></o:p></span></b></p>
</td>
<td width="34%" style="width:34.04%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Plugin Title<o:p></o:p></span></b></p>
</td>
<td width="36%" style="width:36.32%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Severity<o:p></o:p></span></b></p>
</td>
<td width="18%" style="width:18.72%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Platform<o:p></o:p></span></b></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="10%" style="width:10.94%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.tenable.com/plugins/nessus/306740">306740</a><o:p></o:p></span></p>
</td>
<td width="34%" style="width:34.04%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Security Updates for Windows Defender (April 2026)<o:p></o:p></span></p>
</td>
<td width="36%" style="width:36.32%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">High<o:p></o:p></span></p>
</td>
<td width="18%" style="width:18.72%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Nessus<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Recommended Actions:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Date Added to KEV Catalog:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> April 22, 2026<br>
<strong><span style="font-family:"Calibri",sans-serif">Due Date for Remediation:</span></strong> May
</span><span lang="EN" style="font-family:"Calibri",sans-serif">6<span style="color:black">, 2026
<o:p></o:p></span></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Ensure </span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">Microsoft Defender Antimalware Platform
</span><span lang="EN" style="font-family:"Calibri",sans-serif">are updated to version
</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">4.18.26030.3011
</span><span lang="EN" style="font-family:"Calibri",sans-serif">or higher</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">.</span><span lang="EN" style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Audit logs for Event ID 4656/4663 (Object Access) targeting the SAM hive by processes other than lsass.exe</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext">.</span><span lang="EN" style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply appropriate updates provided by the vendor to vulnerable systems after testing.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Run all software as a non-privileged user to reduce the impact of a successful attack.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></b></p>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black">EIS Security Operations Center</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Enterprise Information Services</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Cyber Security Services | CSS</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">SOC Hotline: (503) 378-5930</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:SOC@EIS.OREGON.GOV"><span style="color:#467886">SOC@EIS.OREGON.GOV</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black"><img border="0" width="55" height="55" style="width:.5729in;height:.5729in" id="_x0000_i1026" src="cid:image004.png@01DCD30A.908AA010"></span><span style="font-size:11.0pt;color:black"> <img border="0" width="205" height="53" style="width:2.1354in;height:.552in" id="Picture_x0020_1" src="cid:image002.png@01DCD30A.908AA010"></span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span><b><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>