Microsoft Defender RedSun: When the Protector Becomes the Attacker

RedSun is an unpatched vulnerability in Microsoft Defender's cloud-file remediation pipeline that allows any standard (non-admin) user to escalate to NT AUTHORITY\SYSTEM with approximately 100% reliability on fully patched Windows 10, Windows 11, and Windows Server systems. No CVE has been assigned. The flaw is being actively paired in the wild with two companion Defender zero-days: BlueHammer (CVE-2026-33825, patched April 2026) and UnDefend (unpatched), creating a triple-threat chain that blinds, elevates, and persists -- all through the security product itself.

HIGH

Severity -- Unpatched Zero-Day

SYSTEM

NT AUTHORITY\SYSTEM via LPE

No Patch

No Fix Available from Microsoft

TLP:GREEN -- Approved for Community Distribution

This advisory is classified TLP:GREEN. Recipients may share this information with peers and partner organizations within their community. It should not be posted on publicly accessible websites or shared outside the recipient's community without authorization.

Threat Metadata

Field	Detail
Designation	`RedSun`
Vulnerability Class	Local Privilege Escalation (LPE)
CVE	None assigned
Outcome	`NT AUTHORITY\SYSTEM` -- arbitrary write primitive
Affected Component	Windows Defender (MsMpEng.exe) -- Cloud Files Remediation
Patch Status	None available
Exploitation Status	Observed in the wild
Reliability	~100% on fully patched Windows 10 / 11 / Server
Companion Flaws	BlueHammer (`CVE-2026-33825`, patched) / UnDefend (unpatched)
Attack Vector	Local -- standard user, no admin required
User Interaction	None

Key Insight

Organizations running Defender as their sole endpoint protection -- including Microsoft 365 E5 environments relying exclusively on Defender for Endpoint -- face systemic risk. The same product that detects threats is the attack surface. RedSun does not bypass Defender; it weaponizes Defender's own remediation engine to write attacker-controlled content to privileged locations as SYSTEM.

How the Attack Works

RedSun exploits a time-of-check-time-of-use (TOCTOU) race condition in the way Windows Defender remediates malicious files staged through the Windows Cloud Files API. The attack chain consists of six steps, each requiring only standard-user privileges.

1 Register a Fake Cloud Sync Provider

The attacker registers a user-mode cloud sync provider using the Cloud Files API (CfRegisterSyncRoot). This requires no elevation. The proof-of-concept uses a provider named SERIOUSLYMSFT, registering it under the user's AppData directory.

CfRegisterSyncRoot(
    syncRootPath,       // e.g., %APPDATA%\CloudProvider
    syncRootInfo,       // Provider name: "SERIOUSLYMSFT"
    CF_REGISTER_FLAG_NONE
);

2 Stage a Detectable Payload as a Cloud Placeholder

A file containing a known-malicious signature -- such as the EICAR test string -- is created as a cloud file placeholder. Defender's real-time protection is guaranteed to flag and attempt remediation of this file, which is precisely what the attacker wants.

// Create placeholder with EICAR content
CfCreatePlaceholders(syncRootPath, &placeholderInfo, 1, ...);
// EICAR: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

3 Opportunistic Lock Pauses Defender Mid-Remediation

Before Defender completes its remediation (quarantine/delete), the attacker places an opportunistic lock (oplock) on the staged file. When Defender opens the file for remediation, the oplock callback fires, pausing MsMpEng.exe mid-operation. The file handle is now held open by Defender, but the attacker controls what happens next.

// Request oplock on the staged malicious file
DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK, ...);

4 Swap Target for NTFS Junction to System32

While Defender is paused on the oplock, the attacker deletes the original file and replaces the containing directory with an NTFS junction point (directory symlink) aimed at C:\Windows\System32. Creating junctions does not require administrator privileges.

// Replace directory with junction to System32
// No admin privileges required for junction creation
mklink /J "%APPDATA%\CloudProvider\target" "C:\Windows\System32"

TOCTOU Race Condition

This is the critical vulnerability. Between the time Defender checks the file location (time-of-check) and the time it writes its remediation action (time-of-use), the attacker redirects the file path via NTFS junction. Defender's remediation engine does not re-validate the target path after the oplock is released. It follows the junction and writes into System32 as NT AUTHORITY\SYSTEM.

5 Release Lock -- Defender Writes into System32 as SYSTEM

The attacker releases the oplock. Defender resumes its remediation and attempts to write/overwrite the file at the original path -- but the path now resolves through the junction to C:\Windows\System32. Because MsMpEng.exe runs as NT AUTHORITY\SYSTEM, it has full write access to the target directory. The attacker controls the content that gets written.

6 Trigger the Overwritten Service Binary

The attacker targets a known service binary -- the proof-of-concept overwrites TieringEngineService.exe (Storage Tiers Management service). Upon service restart or system reboot, the attacker's payload executes as SYSTEM. The entire chain -- from standard user to SYSTEM -- completes without any administrator interaction, UAC prompts, or credential harvesting.

Why It Matters

RedSun represents a foothold-to-kingdom attack in a single step. Any low-privilege foothold -- phishing, drive-by download, compromised service account -- can be immediately escalated to full SYSTEM control. There is no patch. There is no workaround that fully eliminates the risk without disabling Defender functionality.

The Triple-Zero-Day Chain

RedSun does not exist in isolation. It is part of a trio of Defender-targeting vulnerabilities disclosed in April 2026:

BlueHammer (CVE-2026-33825) -- A denial-of-service vulnerability that crashes the Defender service via crafted scan requests. Patched in April 2026 Patch Tuesday.
RedSun -- The local privilege escalation described in this advisory. Unpatched.
UnDefend -- A vulnerability that prevents Defender from receiving signature definition updates by manipulating the update channel. Silently degrades protection over time. Unpatched.

Adversaries are pairing these flaws in sequence: UnDefend first (go blind -- Defender stops updating signatures), then RedSun (go SYSTEM -- escalate to full control). The result is an endpoint where the security product is simultaneously degraded and weaponized. Threat intelligence reporting from The Hacker News, Vectra AI, and Help Net Security confirms active exploitation chains using this combination.

Defender-Exclusive Environments at Systemic Risk

The majority of enterprise Windows deployments use Defender as their primary or sole endpoint protection. Microsoft 365 E5 customers often rely exclusively on Defender for Endpoint. RedSun converts the most widely deployed security control on the planet into an attack primitive. This is not a bypass -- it is a weaponization of the defender itself.

MITRE ATT&CK Mapping

Technique ID	Name	Tactic	Relevance
T1068	Exploitation for Privilege Escalation	Privilege Escalation	Core technique -- exploiting Defender's SYSTEM-level remediation to escalate from standard user
T1211	Exploitation for Defense Evasion	Defense Evasion	Abusing a security product's own functionality to evade detection while escalating
T1574.010	Hijack Execution Flow: Services File Permissions Weakness	Persistence / Privilege Escalation	Overwriting service binaries (TieringEngineService.exe) in System32 via arbitrary write
T1562.001	Impair Defenses: Disable or Modify Tools	Defense Evasion	UnDefend companion flaw blocks Defender signature updates; combined with RedSun for full chain
T1003.001	OS Credential Dumping: LSASS Memory	Credential Access	Post-exploitation -- SYSTEM access enables direct LSASS memory dumping for credential harvesting
T1055	Process Injection	Defense Evasion / Privilege Escalation	Post-exploitation -- SYSTEM context enables injection into any process for stealth and persistence

Indicators of Compromise

Strings & Provider Names

Known PoC Provider Names & Binaries

SERIOUSLYMSFT -- Cloud sync provider name used in public PoC
Nightmare-Eclipse -- Alternative provider name observed in wild
Chaotic Eclipse -- Alternative provider name observed in wild
TieringEngineService.exe -- Targeted service binary for overwrite

API Surface & System Calls

Cloud Files API & NTFS Primitives

CfRegisterSyncRoot -- Registers fake cloud provider (triggers attack chain)
CfConnectSyncRoot -- Connects to registered sync root for file operations
FSCTL_REQUEST_OPLOCK -- Opportunistic lock to pause Defender remediation
FSCTL_SET_REPARSE_POINT -- Sets NTFS junction/reparse point to redirect writes

Behavioural Indicators

Detection Telemetry

cldapi.dll loaded from %APPDATA% or %TEMP% directories
mklink /J junction creation targeting C:\Windows\System32
MsMpEng.exe writing .exe or .dll files to System32
New SyncRootManager registry key creation under HKCU
Failed outbound connections to definitionupdates.microsoft.com (UnDefend indicator)

Mjolnir Client Protection

HEIMDALL -- Network / DLP

Mjolnir's HEIMDALL managed detection and response platform has been updated with signatures targeting the RedSun attack chain at the network layer:

EICAR transfer detection -- Signatures identify the EICAR test string and known PoC payloads crossing the network, catching the staging phase before the local exploit fires
PoC reference monitoring -- Network signatures flag downloads or references to public RedSun exploit repositories and toolkits
SERIOUSLYMSFT IOC correlation -- Known provider names and associated artefacts are correlated across HEIMDALL's threat intelligence feeds

Scope Caveat

RedSun is fundamentally a local privilege escalation. HEIMDALL's network-layer visibility catches the payload-in-transit (staging), C2 communications (post-exploitation), and lateral movement -- but the core exploitation occurs entirely on-host. Endpoint-level detection is essential.

AISOC -- Autonomous SOC

Mjolnir’s AISOC is an AI-run autonomous Security Operations Centre that provides continuous endpoint detection and response:

Cloud Files API abuse detection — Automated detection rules identify non-standard processes invoking CfRegisterSyncRoot and CfConnectSyncRoot outside of known cloud sync applications (OneDrive, Dropbox, etc.)
Junction + Defender correlation — Behavioural rules detect the creation of NTFS junction points targeting System32 combined with MsMpEng.exe file-write events within a 30-minute correlation window
Defender writing to System32 — Any instance of MsMpEng.exe writing executable content (.exe, .dll) to System32 triggers an immediate high-severity alert
AI-driven signal correlation — AISOC automatically ties Cloud Files API calls, oplock requests, junction creation, and Defender write events into a single correlated incident when they occur within a 30-minute window on the same host
M365 Defender advanced hunting — Scheduled KQL queries across the M365 Defender tenant hunt for historical RedSun indicators across all enrolled endpoints
Automated triage and escalation — AISOC performs automated triage, enrichment, and response coordination on every RedSun-correlated alert. Escalation to the Mjolnir response team is triggered automatically when the attack chain is confirmed.

Recommendations

P1 -- Immediate (Within 24 Hours)

Enable Tamper Protection -- Verify that Defender Tamper Protection is enabled via Microsoft Intune or Group Policy. This prevents unauthorized modification of Defender settings and provides partial mitigation against the UnDefend companion flaw.
Enable ASR rules for LSASS protection -- Attack Surface Reduction rules should block credential-stealing from LSASS (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) and block abuse of exploited vulnerable signed drivers. These limit post-exploitation impact even if RedSun succeeds.
Audit SeCreateSymbolicLinkPrivilege -- Review which accounts and groups hold the SeCreateSymbolicLinkPrivilege right. While junction creation does not strictly require this privilege, restricting symbolic link creation reduces the attack surface for related NTFS redirection techniques.

P2 -- Short-Term (48-72 Hours)

Enable Controlled Folder Access on System32 -- Configure Controlled Folder Access (CFA) to protect C:\Windows\System32. This may generate false positives from legitimate software installations and updates -- plan for exception tuning.
Deploy behavioural detection rules -- Implement EDR/SIEM rules for the behavioural indicators listed in this advisory: Cloud Files API abuse, junction creation targeting System32, and MsMpEng.exe writing executable content to protected directories.
30-day retrospective threat hunt -- Conduct a retro-hunt across endpoint telemetry for the past 30 days, searching for the IOCs and behavioural patterns described in this advisory. Focus on SyncRootManager registry key creation and unusual cldapi.dll loading patterns.
Consider disabling Cloud Files via GPO -- If your organization does not use the Windows Cloud Files API (OneDrive placeholders, third-party cloud sync), consider disabling cloud file functionality through Group Policy. This eliminates the initial attack vector entirely but may impact legitimate cloud file synchronization.

P3 -- Ongoing

Defender-exclusive is systemic risk -- RedSun demonstrates that a single-vendor endpoint protection strategy creates concentration risk. Organizations should evaluate layered endpoint protection -- combining Defender with a third-party EDR that monitors Defender itself. Defence in depth applies to endpoint security as much as network security.
Watch MSRC for out-of-band updates -- Monitor the Microsoft Security Response Center for emergency patches addressing RedSun and UnDefend. Given the severity and public availability of exploit code, an out-of-band update is expected but not yet scheduled.
Include RedSun primitive in red team engagements -- Incorporate the RedSun TOCTOU technique into internal red team and purple team exercises. Understanding how your detection stack responds to Defender-weaponization scenarios is critical for validating defensive controls before real adversaries test them.

References

"Analysis: RedSun Local Privilege Escalation -- Defender Remediation Abuse," Core Security. coresecurity.com
"RedSun Windows 0-Day: When Defender Becomes the Attacker," CloudSEK. cloudsek.com
"CSA Research Note: Defender Triple Zero-Day -- BlueHammer, RedSun," Cloud Security Alliance Labs. labs.cloudsecurityalliance.org
"BlueHammer, RedSun, UnDefend: Windows Defender 0-Days," SOCRadar. socradar.io
"New Microsoft Defender RedSun Zero-Day PoC Grants System Privileges," BleepingComputer. bleepingcomputer.com
"Caught, Quarantined, Re-installed: RedSun Turns Microsoft Defender on Itself," CSO Online. csoonline.com
"Defender 0-Day RedSun," CybersecurityNews. cybersecuritynews.com
"BlueHammer, RedSun: Windows Defender CVE-2026-33825 Zero-Day Vulnerability Explained," Picus Security. picussecurity.com
"Three Microsoft Defender Zero-Days," The Hacker News. thehackernews.com

Not Currently Protected? Let's Talk.

Mjolnir Security provides HEIMDALL MDR and AISOC -- purpose-built to detect and respond to zero-day exploitation chains like RedSun before they reach SYSTEM. Our detection engineering team has deployed RedSun-specific rules across all managed clients. If you are not yet a Mjolnir client, contact us to discuss coverage.

HEIMDALL MDRAISOCThreat HuntingDetection EngineeringIncident ResponseRed Team

24/7 Incident Hotline: +1 833 403 5875
Sales & Onboarding: sales@mjolnirsecurity.com
Corporate Site: mjolnirsecurity.com

"There is no problem that cannot be solved by a hammer!"

Written by: Mjolnir Security  |  Published: April 23, 2026