Hunting queries, detection strategies, and defensive recommendations for the RedSun and UnDefend zero-day vulnerabilities targeting Microsoft Defender (April 2026).
⚠️ Last updated: April 20, 2026. RedSun and UnDefend are unpatched as of this date. Check MSRC for the latest patch status before relying on this guide.All analysis is based on publicly available information including the PoC source code, CloudSEK's technical writeup, and heise reporting.
- Vulnerability Overview
- RedSun — Technical Analysis
- UnDefend — Technical Analysis
- KQL Hunt Queries
- Defensive Recommendations
- Deployment Priority
- Related CVEs
- References
- Contributing
Three related zero-day vulnerabilities targeting Microsoft Defender were publicly disclosed in April 2026 by the researcher "Nightmare-Eclipse" (aka "Chaotic Eclipse"). This repo focuses on RedSun and UnDefend — both unpatched at the time of writing.
| Vulnerability | Type | Privileges Required | Patch Status | PoC Available |
|---|---|---|---|---|
| RedSun | Local Elevation of Privilege → SYSTEM | Standard user (local) | ❌ Unpatched (as of 4/20/2026) | Yes |
| UnDefend | Defender Denial of Service / Disablement | Standard user (local) | ❌ Unpatched (as of 4/20/2026) | Yes |
| BlueHammer | Local Elevation of Privilege | Standard user (local) | ✅ Patched 4/15/2026 (CVE-2026-33825) | Yes |
Note: BlueHammer was patched via Defender platform update ≥
4.18.26030.3011on April Patch Tuesday (4/15/2026). RedSun and UnDefend remain unpatched as of April 20, 2026. This guide focuses on the two unpatched vulnerabilities.
RedSun exploits a logic flaw in Windows Defender's file remediation path (MpSvc.dll). When Defender detects a malicious file with Cloud Files attributes, it attempts to restore the file to its original detection path without validating whether that path has been redirected via a junction point. An attacker races this window to redirect Defender's SYSTEM-privileged write into C:\Windows\System32, achieving arbitrary code execution as SYSTEM.
No admin privileges, UAC bypass, or kernel exploit is required.
- Windows 11 25H2 Build 26200.8246
- Real-time protection fully enabled
- Standard (non-admin) user account
┌─────────────────────────────────────────────────────────────────┐
│ 1. CREATE working directory in %TEMP%\RS-{GUID}\ │
│ 2. DROP reversed EICAR string as TieringEngineService.exe │
│ 3. OPEN file with FILE_EXECUTE → triggers Defender scan │
│ 4. MONITOR \Device\ for new HarddiskVolumeShadowCopy* objects │
│ 5. ACQUIRE batch OPLOCK on shadow copy of target file │
│ 6. OPLOCK BREAKS when Defender accesses → deterministic window │
│ 7. DELETE original file (POSIX semantics) │
│ 8. CREATE Cloud Files placeholder via CfCreatePlaceholders │
│ (Provider: "SERIOUSLYMSFT", flag: MARK_IN_SYNC) │
│ 9. RENAME working dir away, RECREATE as junction │
│ → Junction target: \??\C:\Windows\System32 │
│ 10. DEFENDER RESUMES write → kernel resolves junction │
│ → Payload written to C:\Windows\System32\ as SYSTEM │
│ 11. ACTIVATE DCOM: Storage Tiers Management COM Server │
│ CLSID: {50d185b9-fff3-4656-92c7-e4018da4361d} │
│ 12. Payload runs as SYSTEM → reads session ID from │
│ named pipe \\.\pipe\REDSUN → spawns conhost.exe │
│ in user's session → interactive SYSTEM shell │
└─────────────────────────────────────────────────────────────────┘
The vulnerability exists in MpSvc.dll — the core Malware Protection Engine. The function chain from detection to write-back never calls any API that could detect a junction or reparse point redirect:
| Function | Role | Reparse Check? |
|---|---|---|
| Config reader | Reads EnableLocalFileRollback |
No |
| Config change handler | Dispatches rollback | No — missing check |
| Notification builder | Builds IPC payload | No |
| IPC dispatcher | Sends msg 0x4047 |
No |
| Write handler | Receives payload, writes to detection path | No — path used verbatim |
| Indicator | Type | Notes |
|---|---|---|
\\.\pipe\REDSUN |
Named pipe | Session ID handoff to SYSTEM payload |
TieringEngineService.exe |
Filename | Payload name (abuses legit Storage Tiers binary) |
%TEMP%\RS-{GUID}\ |
Directory pattern | Working directory |
SERIOUSLYMSFT |
Cloud Files provider name | Registered via CfRegisterSyncRoot |
{50d185b9-fff3-4656-92c7-e4018da4361d} |
DCOM CLSID | Storage Tiers Management Engine |
MsMpEng.exe → System32\*.exe |
File write | The vulnerability itself |
UnDefend allows an unprivileged local user to disable Windows Defender by exclusively locking Defender's signature and engine files, preventing updates. It operates in two modes:
- Reads Defender's installation paths from the registry:
HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPathHKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\SignatureLocation
- Acquires exclusive file locks (
NtCreateFile+LockFileEx) on:mpavbase.vdm— active signature databasempavbase.lkg— last-known-good backup
- Monitors
Definition Updates\directory viaReadDirectoryChangesWand locks every new file - Also monitors and locks files under
C:\Windows\System32\MRT\(Malicious Software Removal Tool) - Result: Defender cannot load new signatures → blind to new threats
- Registers a callback via
NotifyServiceStatusChangeWforSERVICE_NOTIFY_STOPPEDon theWinDefendservice - When Defender stops (e.g., during a major platform update replacing
MsMpEng.exe), locks the binary path - Result: Defender fails to restart → completely disabled
The researcher claims a method exists to make the EDR portal report "Defender running and up to date" while it's actually disabled. This code is not public — the researcher considers it "too dangerous."
| Indicator | Type | Notes |
|---|---|---|
Exclusive locks on mpavbase.vdm / mpavbase.lkg |
File lock | Core mechanism |
ReadDirectoryChangesW on Definition Updates\ |
Directory monitoring | Catches new files to lock |
OpenService("WinDefend") + NotifyServiceStatusChangeW |
Service monitoring | Aggressive mode trigger |
Registry reads of ProductAppDataPath / SignatureLocation |
Registry access | Initial reconnaissance |
C:\Windows\System32\MRT\ file locking |
File lock | Blocks MSRT updates |
All queries target Microsoft Defender for Endpoint (MDE) Advanced Hunting tables. Individual .kql files are in the kql/ directory.
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "NamedPipeEvent"
| where AdditionalFields has "REDSUN"
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, AdditionalFieldsMost durable detection — catches the vulnerability itself regardless of payload name or PoC variant.
DeviceFileEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FolderPath startswith @"C:\Windows\System32\"
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe" or FileName endswith ".dll"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
SHA256, InitiatingProcessCommandLineDeviceFileEvents
| where Timestamp > ago(30d)
| where FileName =~ "TieringEngineService.exe"
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, ActionType, FolderPath, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLineDeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "TieringEngineService.exe"
| project Timestamp, DeviceName, ProcessId, FileName, FolderPath,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, AccountNameDeviceProcessEvents
| where Timestamp > ago(30d)
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "50d185b9-fff3-4656-92c7-e4018da4361d"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountNameDeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager"
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryValueData has_any ("SERIOUSLYMSFT", "CloudFilter")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
RegistryValueData, InitiatingProcessFileName,
InitiatingProcessCommandLineCatches the race condition: file created in user temp → Defender writes to System32 within 5 minutes on same device.
let TempExeCreations = DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Users\" or FolderPath contains @"\AppData\Local\Temp\"
| where FileName endswith ".exe"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "explorer.exe",
"msiexec.exe", "setup.exe", "TiWorker.exe", "svchost.exe")
| project TempTimestamp = Timestamp, DeviceId, DeviceName, TempFileName = FileName, TempFolderPath = FolderPath;
let DefenderSystem32Writes = DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath startswith @"C:\Windows\System32\"
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where ActionType in ("FileCreated", "FileModified")
| project Sys32Timestamp = Timestamp, DeviceId, Sys32FileName = FileName, Sys32FolderPath = FolderPath;
TempExeCreations
| join kind=inner DefenderSystem32Writes on DeviceId
| where Sys32Timestamp between (TempTimestamp .. (TempTimestamp + 5m))
| project TempTimestamp, DeviceName, TempFileName, TempFolderPath,
Sys32FileName, Sys32FolderPathDeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has @"\AppData\Local\Temp\RS-"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLineThe final payload — an interactive SYSTEM shell delivered via conhost.exe.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ActionType == "ProcessCreated"
| where FileName =~ "conhost.exe"
| where AccountSid == "S-1-5-18" or AccountName =~ "SYSTEM"
| where InitiatingProcessFileName !in~ ("csrss.exe", "conhost.exe",
"services.exe", "svchost.exe", "wininit.exe", "winlogon.exe",
"cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName, LogonIdDirect symptom of file locking — the most operationally useful UnDefend detection.
DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "AntivirusDefinitionsUpdateFailed"
| summarize FailCount = count(), FirstFail = min(Timestamp),
LastFail = max(Timestamp) by DeviceId, DeviceName
| where FailCount > 3
| project DeviceName, FailCount, FirstFail, LastFailDeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath has @"Definition Updates"
| where FileName in~ ("mpavbase.vdm", "mpavbase.lkg", "mpasbase.vdm",
"mpavdlta.vdm", "mpasdlta.vdm")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MpCmdRun.exe",
"NisSrv.exe", "MpSigStub.exe", "MpDlpService.exe",
"SecurityHealthService.exe", "TiWorker.exe", "svchost.exe")
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountNameDeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath startswith @"C:\Windows\System32\MRT"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MRT.exe",
"MpCmdRun.exe", "TiWorker.exe", "svchost.exe",
"TrustedInstaller.exe", "msiexec.exe")
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLineDeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey contains @"SOFTWARE\Microsoft\Windows Defender"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "MpCmdRun.exe",
"SecurityHealthService.exe", "NisSrv.exe", "svchost.exe",
"TrustedInstaller.exe", "tiworker.exe", "msiexec.exe",
"IntuneManagementExtension.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
RegistryValueData, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountNameBest scheduled daily analytics rule — catches passive UnDefend regardless of technique.
DeviceInfo
| where Timestamp > ago(7d)
| summarize LastSeen = max(Timestamp) by DeviceId, DeviceName
| join kind=inner (
DeviceTvmSoftwareInventory
| where SoftwareName has "defender" and SoftwareName has "definition"
| project DeviceId, SoftwareVersion
) on DeviceId
| where LastSeen < ago(3d)
| project DeviceName, SoftwareVersion, LastSeen,
DaysSinceUpdate = datetime_diff('day', now(), LastSeen)
| order by DaysSinceUpdate descDeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "ServiceInstalled"
| where AdditionalFields has_any ("WinDefend", "WdNisSvc", "Sense",
"SecurityHealthService", "MsMpEng")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe",
"MsMpEng.exe", "TrustedInstaller.exe", "MpCmdRun.exe",
"tiworker.exe", "msiexec.exe")
| project Timestamp, DeviceName, ActionType, AdditionalFields,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
// Supplement: catch sc.exe or PowerShell stopping/disabling Defender services
union (
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ActionType == "ProcessCreated"
| where (FileName =~ "sc.exe" and ProcessCommandLine has_any ("WinDefend", "WdNisSvc", "Sense")
and ProcessCommandLine has_any ("stop", "delete", "config", "disabled"))
or (FileName in~ ("powershell.exe", "pwsh.exe")
and ProcessCommandLine has_any ("Stop-Service", "Set-Service")
and ProcessCommandLine has_any ("WinDefend", "WdNisSvc", "Sense"))
| project Timestamp, DeviceName, ActionType, AdditionalFields = "",
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
)DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "TamperingAttempt"
| project Timestamp, DeviceName, AdditionalFields,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountNameDeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection"
| where ActionType in ("RegistryValueSet", "RegistryKeyDeleted",
"RegistryValueDeleted")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "TrustedInstaller.exe",
"svchost.exe", "services.exe", "tiworker.exe", "msiexec.exe",
"reg.exe", "regedit.exe", "IntuneManagementExtension.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
PreviousRegistryValueData, RegistryValueData, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountNameDeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010"
| where IsCompliant == 0
| project DeviceName, DeviceId, ConfigurationId, IsCompliantIf an attacker chains both — disables Defender first (UnDefend), then escalates (RedSun):
let RedSunDevices = DeviceFileEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FolderPath startswith @"C:\Windows\System32\"
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe"
| distinct DeviceId, DeviceName;
let UnDefendDevices = DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "AntivirusDefinitionsUpdateFailed"
| summarize FailCount = count() by DeviceId, DeviceName
| where FailCount > 3
| distinct DeviceId, DeviceName;
RedSunDevices
| join kind=inner UnDefendDevices on DeviceId
| project DeviceName| # | Action | Protects Against | Effort |
|---|---|---|---|
| 1 | Enable Tamper Protection across all MDE-managed devices | UnDefend | Low |
| 2 | Enable EDR in Block Mode — cloud-side signatures fire even if local engine is starved | UnDefend | Low |
| 3 | ASR Rule: Block executable files unless prevalence/age/trusted (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) |
RedSun (disrupts payload execution in System32) | Medium |
| 4 | ASR Rule: Block credential stealing from LSASS (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) |
Post-exploitation lateral movement | Medium |
| 5 | WDAC / AppLocker — require code signing for executables in C:\Windows\System32\ |
RedSun (blocks unsigned payload) | High |
| 6 | Conditional Access + Compliance Policies — devices with degraded Defender health fail compliance → no corporate access | UnDefend | Medium |
| 7 | Monitor Defender health telemetry — any device whose Defender stops reporting is suspect | UnDefend | Low |
| 8 | Deploy hunt queries from this repo as scheduled MDE/Sentinel analytics rules | Both | Medium |
- Principle of Least Privilege — both exploits require local access; reduce the number of users with interactive local logon
- Network segmentation — limit lateral movement if SYSTEM is obtained via RedSun
- Endpoint isolation playbooks — pre-build automated response to auto-isolate devices flagged by RS-2 or UD-1
- ❌ Disabling Cloud Files / OneDrive — RedSun uses the Cloud Files API but doesn't require OneDrive to be configured
- ❌ Turning off real-time protection — makes things worse (removes the detection trigger but opens the system entirely)
- ❌ Relying solely on signature-based detection — no named signatures exist for RedSun or UnDefend yet
If you can only deploy a few queries, start here:
| Priority | Query | Rationale |
|---|---|---|
| 🔴 P0 | RS-2 (MsMpEng → System32 write) | Catches the vulnerability itself — any variant, any payload name |
| 🔴 P0 | UD-1 (repeated signature update failures) | Direct symptom of UnDefend passive mode |
| 🟠 P1 | UD-5 (signature staleness — daily scheduled rule) | Fleet-wide visibility into UnDefend effects |
| 🟠 P1 | RS-6 (junction correlation: temp exe → System32 write) | Catches the race condition pattern |
| 🟡 P2 | RS-1 (named pipe REDSUN) | High confidence but trivially changed by attackers |
| 🟡 P2 | UD-7 (Tamper Protection events) | Catches aggressive UnDefend variants |
| 🟡 P2 | UD-8 (Defender registry tampering) | Catches persistence and post-exploitation |
| CVE | Vulnerability | Status |
|---|---|---|
| CVE-2026-33825 | BlueHammer — Defender EoP | ✅ Patched (platform ≥ 4.18.26030.3011) |
| TBD | RedSun — Defender remediation path EoP | ❌ Unpatched |
| TBD | UnDefend — Defender update blocking / disablement | ❌ Unpatched |
- CloudSEK — RedSun: Windows 0day when Defender becomes the attacker — Detailed technical analysis with exploit walkthrough
- heise — Unpatched Windows zero-days RedSun, UnDefend and BlueHammer are being attacked
- CyberNews — Second public Windows Defender exploit released
- HuntressLabs — BlueHammer ITW | All three attacked
- MSRC — CVE-2026-33825 (BlueHammer)
- MDE Alert Response — Responding to machine alerts
- ASR Rules Reference — Attack Surface Reduction rule GUIDs
Found a better detection? Have a Sentinel Analytics Rule template? PRs welcome.
- Fork this repo
- Add your KQL to
kql/with descriptive filenames - Include comments explaining what the query detects and expected false-positive rate
- Submit a PR with a brief description
This repository contains detection and defense guidance only. No exploit code is included or linked. All analysis is derived from publicly available sources. The KQL queries are original work and not affiliated with or endorsed by Microsoft.