Detect BlueHammer Vulnerability on Windows Endpoints

What the BlueHammer detector does

This Automox Worklet™ detects the BlueHammer vulnerability on Windows endpoints and records exposure in the Automox activity log. The Worklet runs read-only checks against the registry, installed component versions, and configuration state that BlueHammer is known to exploit, then reports a clear vulnerable or compliant verdict per endpoint. Remediation is deliberately out of scope for this Worklet; pair it with the companion BlueHammer Hardening Worklet to apply the fix on flagged endpoints.

The Worklet is structured as a detection probe so it can run safely on production fleets during a maintenance window or even during business hours. No services restart, no registry values change, no files are added or removed. The Worklet reads the endpoint, compares its state to the BlueHammer indicator set, and returns the verdict to Automox. This shape lets a security team get an accurate fleet-wide exposure count before scheduling any disruption.

Because the evaluation phase is fully idempotent and side-effect free, the Worklet can be scheduled on a tight recurring policy (for example, every six hours) during an active incident response. The repeated reads keep the exposure dashboard fresh as the parallel hardening rollout drains the vulnerable population, so the security team sees real-time progress instead of waiting for the next weekly compliance report.

Why detect BlueHammer across the fleet first

When a new Windows vulnerability lands, the security team's first question is rarely how to fix it. It is which endpoints are exposed, and how many. Without an accurate detection signal, the hardening rollout is either too cautious (slow remediation while attackers iterate) or too aggressive (disruptive changes pushed to endpoints that were never vulnerable in the first place). Both failure modes burn trust with the rest of the organization.

BlueHammer scoping normally takes weeks because the existing tooling depends on a network vulnerability scan completing against every reachable Windows endpoint. Apply this Worklet through your incident-response policy group so the relevant registry values and SMB configuration are read directly on every workstation and server in scope. The security team sees a real exposure count in hours instead of waiting on a scan window. Follow the detection sweep with the BlueHammer hardening Worklet, then a final detection pass produces audit evidence that the exposure dropped to zero across the same population.

How BlueHammer detection works

1. Evaluation phase: The Worklet runs read-only PowerShell checks against the BlueHammer indicator set. It inspects relevant registry keys, queries installed component versions via Get-ItemProperty against HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, and compares the captured state to the known-vulnerable signature. If any indicator matches, the endpoint is reported vulnerable; if all indicators are clear, it is reported compliant.

2. Remediation phase: This Worklet is detection-only by design. The remediation script writes a structured verdict line to Write-Output that Automox surfaces in the activity log, including the matching indicator name and the registry path or version string that triggered the verdict. No system changes are applied. Pair this Worklet with the companion BlueHammer Hardening Worklet to remediate flagged endpoints.

BlueHammer detection requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 or PowerShell 7 available

• Local administrator privileges on the target endpoint to read system registry hives (the default Automox agent context satisfies this)

• The companion Worklet Windows - Security - BlueHammer Vulnerability Hardening staged in the same policy folder for the remediation pass

• Automox activity log retention configured long enough to support the audit window required by the incident; daily exports to a SIEM are a common pattern

• A change-management ticket or incident reference recorded against the policy run, so the detection results can be tied back to the formal response activity

Expected BlueHammer detection results

After the policy runs across the fleet, the Automox dashboard shows two clear populations: endpoints reported vulnerable to BlueHammer, and endpoints reported compliant. Each vulnerable record includes the specific indicator name and the on-disk artifact (registry path, file version, or configuration value) that triggered the verdict, so the security team can sample the population for verification before authorizing the hardening rollout.

Validate by running the Worklet against one known-vulnerable lab endpoint and one known-patched endpoint, then confirming the activity log shows opposite verdicts. For audit evidence, export the policy run output as CSV and store it with the incident ticket. As the parallel hardening rollout completes, re-running this Worklet against the same scope will show the vulnerable count trending to zero, producing the closeout evidence the security team needs to retire the incident.