Skip to content

3ch0p01nt/RedSun_Undefend

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

RedSun & UnDefend — Detection & Defense Guide

License: MIT

Hunting queries, detection strategies, and defensive recommendations for the RedSun and UnDefend zero-day vulnerabilities targeting Microsoft Defender (April 2026).

⚠️ Last updated: April 20, 2026. RedSun and UnDefend are unpatched as of this date. Check MSRC for the latest patch status before relying on this guide.

All analysis is based on publicly available information including the PoC source code, CloudSEK's technical writeup, and heise reporting.


Table of Contents


Vulnerability Overview

Three related zero-day vulnerabilities targeting Microsoft Defender were publicly disclosed in April 2026 by the researcher "Nightmare-Eclipse" (aka "Chaotic Eclipse"). This repo focuses on RedSun and UnDefend — both unpatched at the time of writing.

Vulnerability Type Privileges Required Patch Status PoC Available
RedSun Local Elevation of Privilege → SYSTEM Standard user (local) ❌ Unpatched (as of 4/20/2026) Yes
UnDefend Defender Denial of Service / Disablement Standard user (local) ❌ Unpatched (as of 4/20/2026) Yes
BlueHammer Local Elevation of Privilege Standard user (local) ✅ Patched 4/15/2026 (CVE-2026-33825) Yes

Note: BlueHammer was patched via Defender platform update ≥ 4.18.26030.3011 on April Patch Tuesday (4/15/2026). RedSun and UnDefend remain unpatched as of April 20, 2026. This guide focuses on the two unpatched vulnerabilities.


RedSun — Technical Analysis

Summary

RedSun exploits a logic flaw in Windows Defender's file remediation path (MpSvc.dll). When Defender detects a malicious file with Cloud Files attributes, it attempts to restore the file to its original detection path without validating whether that path has been redirected via a junction point. An attacker races this window to redirect Defender's SYSTEM-privileged write into C:\Windows\System32, achieving arbitrary code execution as SYSTEM.

No admin privileges, UAC bypass, or kernel exploit is required.

Confirmed Environment

  • Windows 11 25H2 Build 26200.8246
  • Real-time protection fully enabled
  • Standard (non-admin) user account

Attack Chain

┌─────────────────────────────────────────────────────────────────┐
│ 1. CREATE working directory in %TEMP%\RS-{GUID}\               │
│ 2. DROP reversed EICAR string as TieringEngineService.exe      │
│ 3. OPEN file with FILE_EXECUTE → triggers Defender scan        │
│ 4. MONITOR \Device\ for new HarddiskVolumeShadowCopy* objects  │
│ 5. ACQUIRE batch OPLOCK on shadow copy of target file          │
│ 6. OPLOCK BREAKS when Defender accesses → deterministic window │
│ 7. DELETE original file (POSIX semantics)                      │
│ 8. CREATE Cloud Files placeholder via CfCreatePlaceholders     │
│    (Provider: "SERIOUSLYMSFT", flag: MARK_IN_SYNC)             │
│ 9. RENAME working dir away, RECREATE as junction               │
│    → Junction target: \??\C:\Windows\System32                  │
│ 10. DEFENDER RESUMES write → kernel resolves junction           │
│     → Payload written to C:\Windows\System32\ as SYSTEM        │
│ 11. ACTIVATE DCOM: Storage Tiers Management COM Server         │
│     CLSID: {50d185b9-fff3-4656-92c7-e4018da4361d}              │
│ 12. Payload runs as SYSTEM → reads session ID from             │
│     named pipe \\.\pipe\REDSUN → spawns conhost.exe            │
│     in user's session → interactive SYSTEM shell               │
└─────────────────────────────────────────────────────────────────┘

Root Cause

The vulnerability exists in MpSvc.dll — the core Malware Protection Engine. The function chain from detection to write-back never calls any API that could detect a junction or reparse point redirect:

Function Role Reparse Check?
Config reader Reads EnableLocalFileRollback No
Config change handler Dispatches rollback No — missing check
Notification builder Builds IPC payload No
IPC dispatcher Sends msg 0x4047 No
Write handler Receives payload, writes to detection path No — path used verbatim

Key IOCs from PoC Source

Indicator Type Notes
\\.\pipe\REDSUN Named pipe Session ID handoff to SYSTEM payload
TieringEngineService.exe Filename Payload name (abuses legit Storage Tiers binary)
%TEMP%\RS-{GUID}\ Directory pattern Working directory
SERIOUSLYMSFT Cloud Files provider name Registered via CfRegisterSyncRoot
{50d185b9-fff3-4656-92c7-e4018da4361d} DCOM CLSID Storage Tiers Management Engine
MsMpEng.exeSystem32\*.exe File write The vulnerability itself

UnDefend — Technical Analysis

Summary

UnDefend allows an unprivileged local user to disable Windows Defender by exclusively locking Defender's signature and engine files, preventing updates. It operates in two modes:

Passive Mode (default)

  • Reads Defender's installation paths from the registry:
    • HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
    • HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\SignatureLocation
  • Acquires exclusive file locks (NtCreateFile + LockFileEx) on:
    • mpavbase.vdm — active signature database
    • mpavbase.lkg — last-known-good backup
  • Monitors Definition Updates\ directory via ReadDirectoryChangesW and locks every new file
  • Also monitors and locks files under C:\Windows\System32\MRT\ (Malicious Software Removal Tool)
  • Result: Defender cannot load new signatures → blind to new threats

Aggressive Mode

  • Registers a callback via NotifyServiceStatusChangeW for SERVICE_NOTIFY_STOPPED on the WinDefend service
  • When Defender stops (e.g., during a major platform update replacing MsMpEng.exe), locks the binary path
  • Result: Defender fails to restart → completely disabled

EDR Console Deception (unreleased)

The researcher claims a method exists to make the EDR portal report "Defender running and up to date" while it's actually disabled. This code is not public — the researcher considers it "too dangerous."

Key IOCs from PoC Source

Indicator Type Notes
Exclusive locks on mpavbase.vdm / mpavbase.lkg File lock Core mechanism
ReadDirectoryChangesW on Definition Updates\ Directory monitoring Catches new files to lock
OpenService("WinDefend") + NotifyServiceStatusChangeW Service monitoring Aggressive mode trigger
Registry reads of ProductAppDataPath / SignatureLocation Registry access Initial reconnaissance
C:\Windows\System32\MRT\ file locking File lock Blocks MSRT updates

KQL Hunt Queries

All queries target Microsoft Defender for Endpoint (MDE) Advanced Hunting tables. Individual .kql files are in the kql/ directory.

RedSun Detections

RS-1: Named Pipe REDSUN (Highest fidelity PoC indicator)

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "NamedPipeEvent"
| where AdditionalFields has "REDSUN"
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, AdditionalFields

RS-2: MsMpEng.exe Writing Executables to System32 ⭐

Most durable detection — catches the vulnerability itself regardless of payload name or PoC variant.

DeviceFileEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FolderPath startswith @"C:\Windows\System32\"
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe" or FileName endswith ".dll"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
          SHA256, InitiatingProcessCommandLine

RS-3: TieringEngineService.exe Anomalies

DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName =~ "TieringEngineService.exe"
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, ActionType, FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "TieringEngineService.exe"
| project Timestamp, DeviceName, ProcessId, FileName, FolderPath,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, AccountName

RS-4: Storage Tiers Management COM Server Activation

DeviceProcessEvents
| where Timestamp > ago(30d)
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "50d185b9-fff3-4656-92c7-e4018da4361d"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName

RS-5: Cloud Files Sync Root Registration

DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager"
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryValueData has_any ("SERIOUSLYMSFT", "CloudFilter")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine

RS-6: Junction-Based Redirect — Temp Directory to System32 Write Correlation ⭐

Catches the race condition: file created in user temp → Defender writes to System32 within 5 minutes on same device.

let TempExeCreations = DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Users\" or FolderPath contains @"\AppData\Local\Temp\"
| where FileName endswith ".exe"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "explorer.exe",
          "msiexec.exe", "setup.exe", "TiWorker.exe", "svchost.exe")
| project TempTimestamp = Timestamp, DeviceId, DeviceName, TempFileName = FileName, TempFolderPath = FolderPath;
let DefenderSystem32Writes = DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath startswith @"C:\Windows\System32\"
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where ActionType in ("FileCreated", "FileModified")
| project Sys32Timestamp = Timestamp, DeviceId, Sys32FileName = FileName, Sys32FolderPath = FolderPath;
TempExeCreations
| join kind=inner DefenderSystem32Writes on DeviceId
| where Sys32Timestamp between (TempTimestamp .. (TempTimestamp + 5m))
| project TempTimestamp, DeviceName, TempFileName, TempFolderPath,
          Sys32FileName, Sys32FolderPath

RS-7: Working Directory Pattern

DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has @"\AppData\Local\Temp\RS-"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine

RS-8: conhost.exe Spawned by SYSTEM in User Session

The final payload — an interactive SYSTEM shell delivered via conhost.exe.

DeviceProcessEvents
| where Timestamp > ago(30d)
| where ActionType == "ProcessCreated"
| where FileName =~ "conhost.exe"
| where AccountSid == "S-1-5-18" or AccountName =~ "SYSTEM"
| where InitiatingProcessFileName !in~ ("csrss.exe", "conhost.exe",
          "services.exe", "svchost.exe", "wininit.exe", "winlogon.exe",
          "cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          AccountName, LogonId

UnDefend Detections

UD-1: Repeated Signature Update Failures ⭐

Direct symptom of file locking — the most operationally useful UnDefend detection.

DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "AntivirusDefinitionsUpdateFailed"
| summarize FailCount = count(), FirstFail = min(Timestamp),
            LastFail = max(Timestamp) by DeviceId, DeviceName
| where FailCount > 3
| project DeviceName, FailCount, FirstFail, LastFail

UD-2: Non-Defender Process Accessing Signature Files

DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath has @"Definition Updates"
| where FileName in~ ("mpavbase.vdm", "mpavbase.lkg", "mpasbase.vdm",
                       "mpavdlta.vdm", "mpasdlta.vdm")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MpCmdRun.exe",
          "NisSrv.exe", "MpSigStub.exe", "MpDlpService.exe",
          "SecurityHealthService.exe", "TiWorker.exe", "svchost.exe")
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName

UD-3: Non-Defender Access to MRT Directory

DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath startswith @"C:\Windows\System32\MRT"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MRT.exe",
          "MpCmdRun.exe", "TiWorker.exe", "svchost.exe",
          "TrustedInstaller.exe", "msiexec.exe")
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine

UD-4: Defender Registry Activity

DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey contains @"SOFTWARE\Microsoft\Windows Defender"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MpCmdRun.exe",
          "SecurityHealthService.exe", "NisSrv.exe", "svchost.exe",
          "TrustedInstaller.exe", "tiworker.exe", "msiexec.exe",
          "IntuneManagementExtension.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
          RegistryValueData, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName

UD-5: Signature Staleness Across Fleet ⭐

Best scheduled daily analytics rule — catches passive UnDefend regardless of technique.

DeviceInfo
| where Timestamp > ago(7d)
| summarize LastSeen = max(Timestamp) by DeviceId, DeviceName
| join kind=inner (
    DeviceTvmSoftwareInventory
    | where SoftwareName has "defender" and SoftwareName has "definition"
    | project DeviceId, SoftwareVersion
) on DeviceId
| where LastSeen < ago(3d)
| project DeviceName, SoftwareVersion, LastSeen,
          DaysSinceUpdate = datetime_diff('day', now(), LastSeen)
| order by DaysSinceUpdate desc

UD-6: Defender Service Manipulation

DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "ServiceInstalled"
| where AdditionalFields has_any ("WinDefend", "WdNisSvc", "Sense",
                                   "SecurityHealthService", "MsMpEng")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe",
          "MsMpEng.exe", "TrustedInstaller.exe", "MpCmdRun.exe",
          "tiworker.exe", "msiexec.exe")
| project Timestamp, DeviceName, ActionType, AdditionalFields,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName
// Supplement: catch sc.exe or PowerShell stopping/disabling Defender services
union (
    DeviceProcessEvents
    | where Timestamp > ago(14d)
    | where ActionType == "ProcessCreated"
    | where (FileName =~ "sc.exe" and ProcessCommandLine has_any ("WinDefend", "WdNisSvc", "Sense")
             and ProcessCommandLine has_any ("stop", "delete", "config", "disabled"))
         or (FileName in~ ("powershell.exe", "pwsh.exe")
             and ProcessCommandLine has_any ("Stop-Service", "Set-Service")
             and ProcessCommandLine has_any ("WinDefend", "WdNisSvc", "Sense"))
    | project Timestamp, DeviceName, ActionType, AdditionalFields = "",
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessAccountName
)

UD-7: Tamper Protection Events

DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "TamperingAttempt"
| project Timestamp, DeviceName, AdditionalFields,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName

UD-8: Registry Tampering of Defender Service Keys

DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
     or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection"
| where ActionType in ("RegistryValueSet", "RegistryKeyDeleted",
                        "RegistryValueDeleted")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "TrustedInstaller.exe",
          "svchost.exe", "services.exe", "tiworker.exe", "msiexec.exe",
          "reg.exe", "regedit.exe", "IntuneManagementExtension.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
          PreviousRegistryValueData, RegistryValueData, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName

UD-9: Defender RTP Compliance Check

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010"
| where IsCompliant == 0
| project DeviceName, DeviceId, ConfigurationId, IsCompliant

Combined Correlation

COMBO-1: Device Exhibiting Both RedSun and UnDefend Indicators

If an attacker chains both — disables Defender first (UnDefend), then escalates (RedSun):

let RedSunDevices = DeviceFileEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FolderPath startswith @"C:\Windows\System32\"
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe"
| distinct DeviceId, DeviceName;
let UnDefendDevices = DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "AntivirusDefinitionsUpdateFailed"
| summarize FailCount = count() by DeviceId, DeviceName
| where FailCount > 3
| distinct DeviceId, DeviceName;
RedSunDevices
| join kind=inner UnDefendDevices on DeviceId
| project DeviceName

Defensive Recommendations

Immediate Actions (No Patch Available)

# Action Protects Against Effort
1 Enable Tamper Protection across all MDE-managed devices UnDefend Low
2 Enable EDR in Block Mode — cloud-side signatures fire even if local engine is starved UnDefend Low
3 ASR Rule: Block executable files unless prevalence/age/trusted (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) RedSun (disrupts payload execution in System32) Medium
4 ASR Rule: Block credential stealing from LSASS (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) Post-exploitation lateral movement Medium
5 WDAC / AppLocker — require code signing for executables in C:\Windows\System32\ RedSun (blocks unsigned payload) High
6 Conditional Access + Compliance Policies — devices with degraded Defender health fail compliance → no corporate access UnDefend Medium
7 Monitor Defender health telemetry — any device whose Defender stops reporting is suspect UnDefend Low
8 Deploy hunt queries from this repo as scheduled MDE/Sentinel analytics rules Both Medium

Architecture-Level Defenses

  • Principle of Least Privilege — both exploits require local access; reduce the number of users with interactive local logon
  • Network segmentation — limit lateral movement if SYSTEM is obtained via RedSun
  • Endpoint isolation playbooks — pre-build automated response to auto-isolate devices flagged by RS-2 or UD-1

What Won't Help

  • Disabling Cloud Files / OneDrive — RedSun uses the Cloud Files API but doesn't require OneDrive to be configured
  • Turning off real-time protection — makes things worse (removes the detection trigger but opens the system entirely)
  • Relying solely on signature-based detection — no named signatures exist for RedSun or UnDefend yet

Deployment Priority

If you can only deploy a few queries, start here:

Priority Query Rationale
🔴 P0 RS-2 (MsMpEng → System32 write) Catches the vulnerability itself — any variant, any payload name
🔴 P0 UD-1 (repeated signature update failures) Direct symptom of UnDefend passive mode
🟠 P1 UD-5 (signature staleness — daily scheduled rule) Fleet-wide visibility into UnDefend effects
🟠 P1 RS-6 (junction correlation: temp exe → System32 write) Catches the race condition pattern
🟡 P2 RS-1 (named pipe REDSUN) High confidence but trivially changed by attackers
🟡 P2 UD-7 (Tamper Protection events) Catches aggressive UnDefend variants
🟡 P2 UD-8 (Defender registry tampering) Catches persistence and post-exploitation

Related CVEs

CVE Vulnerability Status
CVE-2026-33825 BlueHammer — Defender EoP ✅ Patched (platform ≥ 4.18.26030.3011)
TBD RedSun — Defender remediation path EoP ❌ Unpatched
TBD UnDefend — Defender update blocking / disablement ❌ Unpatched

References

Public Disclosures

PoC Repositories

Microsoft


Contributing

Found a better detection? Have a Sentinel Analytics Rule template? PRs welcome.

  • Fork this repo
  • Add your KQL to kql/ with descriptive filenames
  • Include comments explaining what the query detects and expected false-positive rate
  • Submit a PR with a brief description

Disclaimer

This repository contains detection and defense guidance only. No exploit code is included or linked. All analysis is derived from publicly available sources. The KQL queries are original work and not affiliated with or endorsed by Microsoft.


License

MIT

About

Detection methods, KQL hunt queries, and defensive recommendations for the RedSun and UnDefend Microsoft Defender zero-day vulnerabilities (April 2026)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors