Diffract

**Name of the Vulnerable Software and Affected Versions** Microsoft Defender antimalware platform versions prior to 4.18.26030.3011 Windows 10 (affected versions not specified) Windows 11 (affected versions not specified) Windows Server 2019 and later (affected versions not specified) **Description** Microsoft Defender contains an insufficient granularity of access control and a time-of-check to time-of-use (TOCTOU) flaw in its signature update and remediation workflow. This issue allows a local attacker or malicious application to bypass security checks and elevate privileges to `NT AUTHORITYSYSTEM`. Technical exploitation involves a logic chain using the Windows Cloud Files API, Volume Shadow Copy (VSS), and Opportunistic Locks (Oplocks). Attackers can trigger a Defender update or remediation event and use `Oplocks` to pause the process during the creation of a VSS snapshot. This allows the attacker to access static snapshots of the `SAM`, `SYSTEM`, and `SECURITY` registry hives to extract administrative hashes or race the rewrite of cloud-tagged malicious files to overwrite a SYSTEM binary, such as `C:Windowssystem32TieringEngineService.exe`. Real-world incidents have been reported where this flaw was used by threat actors to disable security logs, encrypt hard drives via ransomware, and exfiltrate sensitive data including browser passwords and session cookies. Some attacks have been linked to compromised FortiGate SSL VPN connections originating from Russia. **Recommendations** Update the Microsoft Defender antimalware platform to version 4.18.26030.3011 or higher. Restrict the Volume Shadow Copy Service to specific administrative users only via Group Policy. Monitor for any process calling `vssvc.exe` that is not a recognized backup tool. Audit logs for unusual `CldFlt` (Cloud Files Mini Filter) activity originating from non-system directories.