Detects creation of Windows Defender engine or signature files (mpengine.dll and *.vdm) by any process other than a Windows Defender component. BlueHammer stages mpam-fe update components into a UUID-named subdirectory of %TEMP% in preparation for a TOCTOU privilege escalation. The rule uses Sysmon EventID 11 (File Create) to flag TargetFilename patterns such as mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, and mpengine.dll, while excluding creations under Defender program directories. It aggregates detections by host, target filename, image (process), and time, enabling investigation of non-Defender processes attempting to place Defender binaries or signatures in user or temp locations. The analytic story highlights Windows Privilege Escalation and BlueHammer techniques and ties to the MITRE technique T1068. The rule is intended for Endpoint telemetry normalized to the CIM, and maps to the Security domain and Splunk product stack.