RoguePlanet (CVE-2026-50656): IOC Detection Guide and Mitigations

⚠ UNPATCHED ZERO-DAY — Public PoC Available
CVE-2026-50656 | Microsoft (CNA) CVSS 3.1: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | NVD independent scoring: pending enrichment
CWE-59: Improper Link Resolution Before File Access | Elevation of Privilege
CISA SSVC: exploitation=poc | automatable=no | technical impact=total
Validated on patched Windows 10 and Windows 11 client systems. Microsoft has not published a complete affected-version matrix.
Status: Microsoft publicly acknowledged June 17, 2026. Patch under development. No ETA. (MSRC | NVD | Help Net Security)

RoguePlanet is a local privilege escalation (LPE) exploit targeting a race condition in the Microsoft Defender Antimalware Service Executable (MsMpEng.exe). A standard unprivileged user can escalate to NT AUTHORITY\SYSTEM on patched Windows 10 and Windows 11 client systems. A public PoC has been available since June 10, 2026. No patch exists as of June 19, 2026. This post covers the Windows Defender zero-day attack chain, verified IOCs, and ready-to-deploy KQL and Sigma detection rules.

Track this CVE and related Windows security advisories as the patch situation develops at the ITKB Advisory Center.

Frequently Asked Questions

What is CVE-2026-50656?

An unpatched Windows elevation of privilege vulnerability in the Microsoft Malware Protection Engine (MsMpEng.exe) — the core scanning component of Microsoft Defender (formerly Windows Defender). It allows a low-privileged local user to achieve NT AUTHORITY\SYSTEM access through a race condition in Defender’s quarantine workflow. Microsoft assigned a CVSS 3.1 score of 7.8 HIGH. NVD enrichment is still in progress.

How does RoguePlanet work?

The exploit chains NTFS directory junctions, opportunistic locks, Volume Shadow Copy timing, and an embedded ISO-mounted EICAR lure to redirect a SYSTEM-privileged Defender file operation into attacker-controlled code. It then manually triggers the Windows Error Reporting QueueReporting scheduled task — accessible to standard users — to execute that code as SYSTEM.

How can defenders detect RoguePlanet?

The strongest behavioral heuristic is a shell process spawned with a parent of MsMpEng.exe. Additional signals include the named pipe \\.\pipe\RoguePlanet (specific to the published PoC), unauthorized modification or path redirection of the System32 wermgr.exe execution path, and out-of-schedule invocation of the QueueReporting scheduled task. KQL and Sigma rules are provided below.

Is there a patch available?

No. Microsoft confirmed on June 17, 2026 that it is working on a patch but has not provided a timeline. Application allowlisting is the only currently validated preventive control. Monitor the MSRC advisory for release. Given Microsoft issued out-of-band patches for earlier releases in this series, do not assume July Patch Tuesday is the earliest possible release date.

RoguePlanet Attack Chain (CVE-2026-50656)

The following is based on independent technical reproductions by ThreatLocker and Cyderes Howler Cell, both of which confirmed the PoC on fully patched Windows 11 with KB5094126.

Entry check: The binary inspects its own process token. If already running as SYSTEM, it connects to the named pipe \\.\pipe\RoguePlanet, identifies the interactive user session, and spawns conhost.exe in that session as SYSTEM — delivering the shell. Otherwise it proceeds with the escalation chain.
I/O saturation: A generator thread plus one worker thread per logical core write continuously to unique temp files, sustaining filesystem load to make Defender’s file-operation timing more controlled.
EICAR lure: An EICAR string embedded inside an ISO image (not dropped standalone) is surfaced via ISO mount to trigger Defender’s real-time remediation engine. ISO mounting by standard users is available on Windows client SKUs but blocked on Windows Server, which is why the PoC does not function on Server in its current form.
Shadow copy monitoring: The exploit monitors \Device for a new HarddiskVolumeShadowCopy* object created during Defender’s workflow. This object is used as a synchronization timing signal — the PoC does not create the shadow copy from user space.
Oplock + junction redirect: An opportunistic lock on the file’s Alternate Data Stream pauses Defender’s file access at the critical window. NTFS directory junctions are built to redirect where Defender’s quarantine artifact lands.
wermgr.exe path compromise: When the race is won, the junction chain causes the System32 wermgr.exe execution path to resolve to attacker-controlled code. ThreatLocker describes this as physical file replacement; Cyderes describes it as a path-resolution redirect through the junction chain. Defenders should investigate both physical file modification and NTFS junction redirection at this path.
Scheduled task trigger: The attacker invokes \Microsoft\Windows\Windows Error Reporting\QueueReporting via the Task Scheduler COM interface — accessible without elevation. The task runs what it believes is the legitimate wermgr.exe as SYSTEM, which is now attacker-controlled code, triggering stage 1’s SYSTEM-path logic.

Real-time protection state: Public reporting conflicts on whether the PoC requires active real-time protection. Cyderes’s reproduced chain required active RTP. The researcher claimed on June 16 it works regardless of RTP state and in passive mode; passive-mode exploitability has not been independently confirmed in published technical reproductions. Disabling real-time protection is not a recommended mitigation either way.

Reliability: Race condition success varies by machine. The researcher reported 100% success on some hardware and failure on others. Cyderes confirmed reproduction in a lab environment. Unreliability is not a mitigating control.

Signature detection: Microsoft Defender flags the compiled PoC as Exploit:Win32/DfndrRugPlnt.BB. Cyderes confirmed the behavioral chain survives recompilation with minimal source changes and remains undetected by static means. (Source: Cyderes Howler Cell)

Indicators of Compromise (IOCs)

Indicator	Confidence	Survives PoC Recompile?	Primary Source
Named pipe `\\.\pipe\RoguePlanet`	High — PoC-specific	No	Cyderes Howler Cell
MsMpEng.exe → cmd.exe / powershell.exe as SYSTEM	High heuristic	Partially	Picus Security, Cyderes
Write to / path redirect of System32 wermgr.exe	High	Yes	ThreatLocker, Cyderes
wermgr.exe SHA-256 mismatch vs signed baseline	High	Yes	ThreatLocker
QueueReporting task manual invocation	High	Yes	ThreatLocker, Cyderes
Shadow copy object access from low-priv process + Defender event	Medium (behavioral chain)	Partially	Cyderes Howler Cell
EICAR detection in ISO-mount path + remediation sequence	Medium (inferred)	No	ThreatLocker
ADS oplock + NTFS junction from user-space during scan	Low — requires kernel visibility	Partially	Cyderes Howler Cell

Named Pipe: `\\.\pipe\RoguePlanet`

Present for the entire exploit duration per Cyderes Howler Cell. High-confidence against the published PoC; any actor adapting the technique would rename this pipe. Detect via Sysmon Event ID 17 (Pipe Created) and Event ID 18 (Pipe Connected), or EDR named-pipe telemetry.

MsMpEng.exe Spawning a Shell as SYSTEM

A high-priority behavioral heuristic. The Antimalware Service Executable has no legitimate documented reason to spawn interactive shells, but confirm the complete process ancestry and correlate with Defender, WER, temp-directory, ADS, and named-pipe activity before treating a single alert as a confirmed exploitation event. Detect via Sysmon Event ID 1 or Security Event ID 4688 (with command-line logging enabled); filter to child process integrity level SYSTEM.

wermgr.exe Modification or Path Redirect

Published analyses describe different mechanisms — ThreatLocker reports physical file replacement; Cyderes describes a junction-chain redirect. Investigate both: file write events to C:\Windows\System32\wermgr.exe from non-Windows Update processes, and SHA-256 deviation from the Microsoft-signed build baseline. Detect via Sysmon Event ID 11 or MDE DeviceFileEvents.

QueueReporting Scheduled Task — Manual Invocation

The \Microsoft\Windows\Windows Error Reporting\QueueReporting task is accessible to unprivileged users via the Task Scheduler COM interface. Out-of-schedule execution should be treated as suspicious, particularly when co-occurring with other signals from this list. Detect via Task Scheduler Operational Log Event IDs 200/201, Security Event IDs 4698/4702, or schtasks.exe command-line telemetry referencing QueueReporting.

Shadow Copy Object Access During Defender Remediation

The exploit monitors \Device for a HarddiskVolumeShadowCopy* object created during Defender’s own workflow and uses it as a synchronization signal. Hunt for low-privileged processes enumerating or accessing shadow-copy device paths co-occurring with Defender remediation events (Defender Operational Event IDs 1116 and 1117). Sysmon WMI events (EID 19, 20, 21) record permanent WMI filter/consumer/binding registrations and are not appropriate for detecting routine shadow-copy enumeration — use EDR filesystem and object-access telemetry instead.

Detection Rules: KQL and Sigma for CVE-2026-50656

Before deploying these rules — read this first.

False positive risk is real. The MsMpEng.exe process-lineage rule (Query 1 / Sigma Rule 1) is the highest-fidelity signal in this set, but it has not been validated across all endpoint configurations, AV stack combinations, or third-party security tool interactions. Do not treat a single alert as a confirmed exploitation event — correlate with shadow copy, WER task, named pipe, and temp-directory activity before escalating.

Do not enable automated blocking or SOAR response on these rules without first baselining normal behavior in your environment. Run in detection-only / alert mode for at least one observation cycle. Tune exclusions based on what your environment legitimately generates before promoting to any automated response action.

Schema and version dependency. The KQL queries target Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents) tables available in Microsoft Sentinel. If your workspace uses a different data connector or Sysmon version, field names may differ. Validate all field references before deployment. Query 4 (named pipe) requires Sysmon Event IDs 17/18 actively ingested via Azure Monitor Agent — it will return no results if that collection is not configured.

These rules are starting points, not production-ready signatures. They are provided to accelerate threat hunting and detection engineering. Treat them as templates that require environment-specific validation and tuning.

AI-assisted content. The KQL queries and Sigma rules on this page were developed with AI assistance to support security professionals. They are based on publicly available technical analysis of CVE-2026-50656 but have not been independently validated in a production environment. Review all logic, field names, and filter conditions before deployment. Use by qualified security personnel only.

Microsoft Sentinel / Defender for Endpoint — KQL

The following queries were developed with AI assistance based on publicly available technical analysis of CVE-2026-50656. Validate all field names, table availability, and filter logic against your specific Sentinel workspace and MDE connector version before deployment. Test in non-production or detection-only mode.

Query 1: MsMpEng.exe spawning a shell process as SYSTEM

// CVE-2026-50656 RoguePlanet — MsMpEng.exe shell spawn
// High-priority heuristic. Correlate with WER, junction, pipe, and temp-dir activity.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "conhost.exe",
                      "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessIntegrityLevel =~ "System"
| project
    Timestamp,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine
| order by Timestamp desc

Query 2: File write to System32 wermgr.exe from non-Windows-Update process

// CVE-2026-50656 RoguePlanet — wermgr.exe modification
// Alert first; tune exclusions based on observed legitimate Windows servicing in your environment.
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "wermgr.exe"
| where FolderPath has @"Windows\System32"
| where InitiatingProcessFileName !in~ ("TiWorker.exe", "TrustedInstaller.exe", "wuauclt.exe")
| project
    Timestamp,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    SHA256,
    ActionType
| order by Timestamp desc

Query 3: QueueReporting task invocation or wermgr.exe running as SYSTEM

// CVE-2026-50656 RoguePlanet — QueueReporting trigger
// Two conditions captured separately; direct taskhostw.exe parent is not required.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "schtasks.exe"
         and ProcessCommandLine has_any ("QueueReporting", "Windows Error Reporting"))
    or  (FileName =~ "wermgr.exe"
         and AccountSid == "S-1-5-18")
| project
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    SHA256
| order by Timestamp desc

Query 4: Named pipe RoguePlanet (WindowsEvent table, AMA ingest)

// CVE-2026-50656 RoguePlanet — named pipe artifact
// Requires Sysmon EID 17/18 ingested via Azure Monitor Agent (WindowsEvent table).
// PipeName is a named field in EventData — avoids brittle XML array indexing.
WindowsEvent
| where Channel == "Microsoft-Windows-Sysmon/Operational"
| where EventID in (17, 18)
| extend PipeName = tostring(EventData.PipeName)
| where PipeName has "RoguePlanet"
| project TimeGenerated, Computer, EventID, PipeName
| order by TimeGenerated desc

Sigma Detection Rules

The following Sigma rules were developed with AI assistance and are marked experimental. They have not been validated against production endpoint telemetry. Use with your Sigma-to-SIEM converter of choice (sigmac, pySigma). Review all detection logic, field mappings, and filter conditions before deployment. The MsMpEng.exe rule is rated high, not critical, pending production validation.

title: RoguePlanet - MsMpEng.exe Spawning Shell as SYSTEM
id: a7f2c841-3b9e-4d72-9a8f-1c2d3e4f5a6b
status: experimental
description: >
    High-priority behavioral heuristic for CVE-2026-50656 (RoguePlanet).
    MsMpEng.exe spawning an interactive shell running as SYSTEM has no
    documented legitimate occurrence. Correlate with Defender remediation,
    WER task, temp-directory, and named-pipe activity before treating as
    a confirmed exploitation event.
references:
    - https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
    - https://www.cyderes.com/howler-cell/rogueplanet-windows-zero-day
    - https://nvd.nist.gov/vuln/detail/CVE-2026-50656
author: ITKnowledgeBases.com (AI Assistance)
date: 2026/06/19
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2026.50656
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\MsMpEng.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\conhost.exe'
            - '\wscript.exe'
            - '\mshta.exe'
        IntegrityLevel: 'System'
    condition: selection
falsepositives:
    - Not documented. Validate against your environment before suppressing.
level: high

title: RoguePlanet - Named Pipe Artifact
id: b8e3d952-4c0f-5e83-ab90-2d3e4f5a6b7c
status: experimental
description: >
    Detects the named pipe created by the RoguePlanet PoC as released
    (CVE-2026-50656). High confidence against the published binary.
    Will not fire against modified variants that rename the pipe.
references:
    - https://www.cyderes.com/howler-cell/rogueplanet-windows-zero-day
author: ITKnowledgeBases.com (AI Assistance)
date: 2026/06/19
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2026.50656
logsource:
    category: pipe_created
    product: windows
    definition: Requires Sysmon Event ID 17
detection:
    selection:
        PipeName|contains: 'RoguePlanet'
    condition: selection
falsepositives:
    - Not documented for this pipe name.
level: high

title: RoguePlanet - System32 wermgr.exe Modification
id: c9f4e063-5d1a-6f94-bc01-3e4f5a6b7c8d
status: experimental
description: >
    Detects file creation or overwrite events targeting
    C:\Windows\System32\wermgr.exe from processes outside known Windows
    Update writers, associated with CVE-2026-50656 (RoguePlanet).
    Covers the physical file replacement scenario described by ThreatLocker.
    Note: if exploitation occurs via NTFS junction-chain redirection without
    a direct file write (as described by Cyderes Howler Cell), this rule
    may not fire. Correlate with hash deviation checks and QueueReporting
    task execution for broader coverage. Alert first; tune exclusions based
    on observed legitimate servicing behavior.
references:
    - https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
    - https://www.cyderes.com/howler-cell/rogueplanet-windows-zero-day
author: ITKnowledgeBases.com (AI Assistance)
date: 2026/06/19
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2026.50656
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Windows\System32\wermgr.exe'
    filter_winupdate:
        Image|endswith:
            - '\TiWorker.exe'
            - '\TrustedInstaller.exe'
            - '\wuauclt.exe'
    condition: selection and not filter_winupdate
falsepositives:
    - Windows Update processes (filtered). Tune additional exclusions based on observed environment behavior.
level: high

Mitigations

The researcher stated on June 16 that signature-based detections can be entirely bypassed with minor PoC source changes, adding: “The only thing you can realistically do is wait for a patch from Microsoft.” (Help Net Security) Do not rely on the Exploit:Win32/DfndrRugPlnt.BB signature as a primary control.

Apply the patch immediately when released. Monitor MSRC CVE-2026-50656 and the ITKB Advisory Center for release. Do not assume the patch will wait for July Patch Tuesday — out-of-band releases are precedented for this series.
Application allowlisting is the only currently validated preventive control. ThreatLocker CEO Danny Jenkins confirmed to BleepingComputer that allowlisting blocks the exploit from executing. (BleepingComputer)
Deploy the KQL rules above in Microsoft Sentinel with a focus on Query 1 (MsMpEng.exe shell spawn) and Query 4 (named pipe) as your highest-fidelity signals.
Baseline wermgr.exe SHA-256 on all managed endpoints now, while you have a known-good state. Hash deviation is a reliable post-exploitation indicator even if the write event is missed.
Do not disable Microsoft Defender as a mitigation. Public reporting conflicts on whether active real-time protection is required for the reproduced chain — disabling it removes detection capability while providing no confirmed protection.

Series Context: Prior Exploitation

RoguePlanet is the seventh exploit released by the researcher known as Nightmare Eclipse targeting Microsoft Defender or adjacent Windows components since April 2026. Huntress observed BlueHammer, RedSun, and UnDefend — three earlier exploits in this series — during a real-world intrusion involving FortiGate VPN compromise as the initial access vector. (Huntress) CISA subsequently added the associated CVEs — CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), and CVE-2026-45498 (UnDefend) — to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Treat RoguePlanet’s public PoC as credibly weaponizable given that history.

Monitor CVE-2026-50656 patch status and follow related Windows Defender vulnerability advisories at the ITKB Advisory Center.

Related Security Resources

ITKB Advisory Center — Track CVE-2026-50656 patch release and other active Windows security advisories
MSRC Advisory: CVE-2026-50656 — Official Microsoft patch status and affected-version matrix when published
CISA Known Exploited Vulnerabilities Catalog — Prior Nightmare Eclipse CVEs are listed here; watch for CVE-2026-50656 addition
NVD: CVE-2026-50656 — NVD enrichment in progress; CVSS and CPE applicability statement pending

Last updated June 19, 2026. Technical sources: ThreatLocker, Cyderes Howler Cell, Help Net Security, BleepingComputer, Picus Security, NVD, Huntress. KQL queries and Sigma rules are provided as starting points for detection engineering. Validate all field names against your workspace schema, test in non-production or detection-only mode, and tune exclusions based on observed legitimate activity before enabling any automated response. Vendor table schemas and Sysmon field names may vary by version and connector — verify against your specific deployment before use.

The content on this page is provided for informational and educational purposes for security practitioners. It does not constitute professional security advice. ITKnowledgeBases.com makes no guarantee as to the completeness, accuracy, or fitness for purpose of the detection rules, IOCs, or mitigations provided. Decisions affecting your security posture should be validated by qualified security personnel with knowledge of your specific environment. Use of any code, queries, or rules from this page is at your own risk.