Microsoft Defender 'RedSun' Zero-Day: Unpatched Privilege Escalation Exploit Actively Weaponized
Three zero-day exploits targeting Microsoft Defender dropped in a 13-day window this April. The first, BlueHammer, got a patch. The other two did not. One of them, RedSun, grants full SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019+ with approximately 100% reliability on systems with the April 2026 patches because it remains unpatched [1][3][10]. Huntress researchers have confirmed active exploitation in the wild, with BlueHammer exploited since April 10, 2026, and RedSun/UnDefend exploited since April 16, 2026 [2][6]. The exploit is public, the PoC works, and there is no patch.
The researcher behind all three, operating under the handles "Chaotic Eclipse" and "Nightmare Eclipse," published RedSun on April 16 [1][2]. Security researcher Will Dormann independently confirmed the exploit works and delivers SYSTEM privileges [1][3]. This is not theoretical. The exploit is live.
Background: A Rapid-Fire Disclosure Campaign
The story starts on April 7, 2026, when Chaotic Eclipse disclosed BlueHammer, a local privilege escalation exploit targeting Microsoft Defender [4]. Microsoft assigned it CVE-2026-33825 with a CVSS score of 7.8 (High) and released a patch on April 14 as part of Patch Tuesday, later crediting researchers Zen Dodd and Yuanpei Xu for the discovery [4][7]. The fix shipped as Antimalware Platform update version 4.18.26030.3011 [7].
That patch did not hold for long. By April 16, Chaotic Eclipse dropped two more exploits: RedSun (another privilege escalation) and UnDefend (a denial-of-service attack that blocks Defender definition updates) [2][6]. Both remain unpatched as of April 17, 2026 [2][3]. Huntress observed BlueHammer exploitation being blocked by Defender starting April 10, meaning threat actors had already weaponized the first exploit before the patch fully propagated [2][6]. RedSun and UnDefend exploitation was observed starting April 16, the same day the PoCs went public [2][6].
The exploit code is hosted on the researcher's GitHub repository under the Nightmare-Eclipse handle [8]. All three tools are publicly available.
How RedSun Works: Defender Becomes the Attacker
RedSun's core trick is elegant and brutal. It abuses Windows Defender's cloud file rollback mechanism, specifically the way Defender handles files tagged with cloud metadata during remediation [1][4].
Here's the chain:
When Defender identifies a malicious file that carries a cloud tag (set via the Cloud Files API), it triggers a remediation routine. That routine rewrites the flagged file to its original location [1]. The problem: Defender does not validate reparse points during this operation. According to CloudSEK's analysis, the root cause is a missing reparse point validation in MpSvc.dll, the core Malware Protection Engine library [10].
An attacker with a standard user account can exploit this by:
- Creating a malicious file in a user-writable location (e.g.,
C:\Users\[user]\Downloads\RedSun.exe) [2] - Tagging it with cloud metadata using the Cloud Files API and the sync provider name
SERIOUSLYMSFT[9] - Planting a reparse point (junction or symlink) so that when Defender "remediates" the file, the write is redirected to a privileged location like
C:\Windows\System32[10] - Defender, running as SYSTEM, dutifully overwrites a system binary (the documented target is
TieringEngineService.exe) with attacker-controlled content [1]
This results in arbitrary file write as SYSTEM. From there, code execution at the highest privilege level is trivial.
As one source summarized the flaw: "When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location" [1].
The Race Condition
Picus Security's analysis identifies a race condition in Defender's file remediation logic as the underlying vulnerability class [4]. The timing window between Defender detecting the file, initiating remediation, and completing the write operation allows the attacker to swap the target via the reparse point. Because Defender runs with SYSTEM privileges by design, the redirected write inherits those privileges.
This is distinct from BlueHammer's technique, even though both target Defender's file handling behavior. BlueHammer used a different staging approach (files placed in C:\Users\[user]\Pictures\FunnyApp.exe) but exploited the same general trust relationship between Defender and the files it processes [2][4].
UnDefend: The Third Exploit
While RedSun gets the headlines, UnDefend deserves mention. This third exploit triggers a denial-of-service condition that blocks Defender definition updates [6]. It does not escalate privileges, but it degrades the security posture of affected systems, potentially creating a window for other attacks. UnDefend is also unpatched and actively exploited [2][6]. The tool is distributed as UnDefend.exe [8].
The combination of all three creates a potent attack chain: use UnDefend to blind Defender's signatures, then use RedSun to escalate to SYSTEM.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| filename | RedSun.exe |
Main exploit executable | [1] |
| filename | TieringEngineService.exe |
System file targeted for overwrite | [1] |
| filename | C:\Users\[user]\Downloads\RedSun.exe |
RedSun staging location | [2] |
| filename | C:\Users\[user]\Pictures\FunnyApp.exe |
BlueHammer staging location | [2] |
| filename | FunnyApp.exe |
BlueHammer exploit binary | [8] |
| filename | UnDefend.exe |
DoS tool against Defender updates | [8] |
| filename | z.exe |
Renamed exploit binary variant | [8] |
| filename | cldapi.dll |
Cloud Files API component used in exploit | [3] |
| filename | MpSvc.dll |
Vulnerable Defender engine library | [10] |
| malware | BlueHammer |
First LPE exploit in series (patched) | [6] |
| malware | RedSun |
Second LPE exploit, file write primitive | [6] |
| malware | UnDefend |
DoS exploit against Defender definitions | [6] |
| string | SERIOUSLYMSFT |
Cloud sync provider name, exact-match IOC | [9] |
MITRE ATT&CK Mapping
| Technique ID | Name | Relevance |
|---|---|---|
| T1548 | Abuse Elevation Control Mechanism | Core technique: abusing Defender's SYSTEM-level file write during remediation [1][4] |
| T1083 | File and Directory Discovery | Attacker identifies target system files for overwrite [10] |
| T1562.001 | Impair Defenses: Disable or Modify Tools | UnDefend blocks Defender definition updates [6] |
| T1055 | Process Injection | Post-exploitation via overwritten system binaries [1] |
Detection and Hunting
Cloud Files API abuse: Monitor for processes registering cloud sync providers with unusual names. The provider name SERIOUSLYMSFT is an exact-match indicator [9]. Sysmon Event ID 11 (FileCreate) and Event ID 1 (ProcessCreate) with command-line arguments referencing cldapi.dll or cloud file registration APIs should be flagged.
Reparse point creation in user directories: Watch for junction or symlink creation in user-writable paths that point to C:\Windows\System32 or other protected directories. Sysmon can log these. Look for mklink or equivalent API calls from non-admin processes.
Defender remediation targeting system binaries: Defender's operational log (Microsoft-Windows-Windows Defender/Operational, Event IDs 1116-1117) will show detections and remediation actions. Correlate remediation events with unexpected file modifications in System32.
Known filenames: Hunt for RedSun.exe, FunnyApp.exe, UnDefend.exe, and z.exe across endpoint telemetry. These are the documented exploit filenames from the public PoCs [1][2][8].
TieringEngineService.exe modifications: Any write to or replacement of TieringEngineService.exe outside of Windows Update should trigger an immediate alert [1].
SIEM query example (Splunk):
index=sysmon (EventCode=11 OR EventCode=1)
("SERIOUSLYMSFT" OR "RedSun.exe" OR "FunnyApp.exe" OR "UnDefend.exe" OR "z.exe" OR "TieringEngineService.exe")
| stats count by host, Image, TargetFilename, CommandLineAnalysis
This situation is serious for several concrete reasons.
First, the affected surface is enormous. Every Windows 10, Windows 11, and Server 2019+ system running Defender (which is the default, and increasingly the primary endpoint protection in enterprise environments) is vulnerable [1][3]. Systems with Defender disabled are not in an exploitable state [5], but that is hardly a useful mitigation for most organizations.
Second, exploitation requires only a standard user account and local access. That is a low bar. Any post-compromise foothold, any malicious insider, any malware that lands via phishing can chain into SYSTEM. The approximately 100% reliability claim [3][10] makes this especially dangerous: this is not a fragile exploit that fails on certain configurations.
Third, the exploit abuses Defender's own protective behavior. Defender's remediation routine is the attack vector. This creates a detection paradox where the malicious activity looks like Defender doing its job.
Microsoft's April Patch Tuesday addressed 167 vulnerabilities and included the BlueHammer fix [5][7]. The Antimalware Platform updates automatically by default [5], which means the BlueHammer patch likely reached most managed systems. But RedSun and UnDefend had no patches included because they were disclosed after Patch Tuesday. Microsoft will likely need an out-of-band update or wait until May's cycle.
Red Sheep Assessment
Confidence: High (based on multiple independent confirmations, public PoC code, and documented active exploitation)
The coordinated release of three exploits targeting the same product within 13 days [4] looks deliberate. Chaotic Eclipse appears to have identified a class of vulnerabilities in Defender's file handling logic, not just individual bugs. BlueHammer tested the waters. RedSun and UnDefend followed after the patch proved Microsoft could fix the first variant but not the underlying design issue.
The choice of the provider name SERIOUSLYMSFT [9] signals frustration, likely from a researcher who reported these issues and felt the response was inadequate. This pattern (public disclosure after perceived vendor inaction) is familiar.
What the sources collectively suggest but do not state outright: there are probably more variants. The core flaw is Defender performing SYSTEM-privileged file operations based on user-controllable inputs without adequate validation. The specific reparse point trick in MpSvc.dll [10] is one manifestation, but the architectural issue (a SYSTEM-privileged service trusting file metadata set by unprivileged users) likely has additional exploitation paths. Defenders should prepare for a fourth or fifth disclosure.
The active exploitation observed by Huntress [2][6] within hours of the PoC release indicates either very fast weaponization by threat actors monitoring the researcher's GitHub, or (more likely) the researcher's public statement that threat actors were already using variants of these techniques before public disclosure. Organizations that have not implemented compensating controls are already behind.
An alternative read: Microsoft may view UnDefend (the DoS variant) as lower priority, but combined with RedSun, it creates a compound threat where attackers can simultaneously blind Defender and escalate privileges. Treating these as separate issues would be a mistake.
Defender's Checklist
- ▢[ ] Hunt for known IOCs immediately: Search endpoint telemetry for
RedSun.exe,FunnyApp.exe,UnDefend.exe,z.exe, and the provider nameSERIOUSLYMSFTusing your EDR or SIEM. Query:"SERIOUSLYMSFT" OR "RedSun.exe" OR "UnDefend.exe" OR "FunnyApp.exe"[1][2][8][9] - ▢[ ] Monitor and alert on reparse point creation: Enable Sysmon with a configuration that logs junction and symlink creation (Event ID 11 with ReparsePoint). Alert on any reparse points in user-writable directories targeting System32 or other protected paths [10]
- ▢[ ] Verify Defender platform version: Confirm Antimalware Platform is at least version 4.18.26030.3011 (patches BlueHammer). Check via PowerShell:
Get-MpComputerStatus | Select AMProductVersion. Manual update path: Windows Security > Virus & threat protection > Protection updates [7] - ▢[ ] Implement file integrity monitoring on critical system binaries: Set up FIM alerts for any modification to
TieringEngineService.exeand other service executables in System32 that are not associated with Windows Update [1] - ▢[ ] Evaluate compensating controls: For high-value assets, consider supplementing Defender with endpoint detection and response (EDR) solutions that provide behavior-based detection capabilities independent of Defender's engine. Monitor Microsoft's Security Response Center for out-of-band updates [2][6]
References
- BleepingComputer: New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges
- Help Net Security: Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild
- Cybersecurity News: Microsoft Defender 0-Day Vulnerability "RedSun" Enables Full SYSTEM Access
- Picus Security: BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained
- Rapid7: Patch Tuesday - April 2026
- The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
- BleepingComputer: Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days
- GitHub: Nightmare-Eclipse Repository
- Ampcus Cyber: RedSun and UnDefend Zero-Day Exploits Hit Defender
- CloudSEK: RedSun: Windows 0day when Defender becomes the attacker
Visual Intelligence
Timeline (8 events)
Entity Graph (3 entities, 2 relationships)
Diamond Model
---
Hunt Guide: Hunt Report: Microsoft Defender RedSun Zero-Day Privilege Escalation
Hypothesis: If threat actors are exploiting the RedSun/UnDefend zero-days in our environment, we expect to observe Cloud Files API abuse, reparse point creation targeting system directories, and modifications to TieringEngineService.exe in Windows Defender telemetry and Sysmon logs.
Intelligence Summary: Three zero-day exploits targeting Microsoft Defender were disclosed in April 2026, with RedSun providing unpatched SYSTEM privilege escalation on all modern Windows systems. Active exploitation began within hours of public disclosure, with the exploit achieving ~100% reliability by abusing Defender's cloud file remediation mechanism.
Confidence: High | Priority: Critical
Scope
- Networks: All Windows 10/11 and Server 2019+ systems with Microsoft Defender enabled
- Timeframe: Initial: 7 days retrospective from April 10, 2026; Continuous: Real-time alerting
- Priority Systems: Domain controllers, privileged access workstations, Tier 0 assets, systems with local admin accounts
MITRE ATT&CK Techniques
T1548.002 — Bypass User Account Control (Privilege Escalation) [P1]
RedSun exploits Defender's SYSTEM-privileged file remediation to overwrite system binaries via reparse points
Splunk SPL:
index=sysmon (EventCode=11 OR EventCode=1) ("SERIOUSLYMSFT" OR "cldapi.dll" OR (TargetFilename="*\\Windows\\System32\\TieringEngineService.exe" AND NOT Image="*\\Windows\\servicing\\*")) | eval suspicious_reparse=if(match(TargetFilename,"Junction|SymbolicLink") AND match(TargetFilename,"System32"),1,0) | stats count by host, Image, TargetFilename, CommandLine, suspicious_reparse | where suspicious_reparse=1 OR count>0Elastic KQL:
event.provider:"Microsoft-Windows-Sysmon" AND (event.code:11 OR event.code:1) AND ("SERIOUSLYMSFT" OR "cldapi.dll" OR (file.path:"*\\Windows\\System32\\TieringEngineService.exe" AND NOT process.executable:"*\\Windows\\servicing\\*"))Sigma Rule:
title: Microsoft Defender RedSun Zero-Day Exploitation
id: 8f4a2c4e-7b91-4d3a-9f2e-1a3b5c7d8e9f
status: experimental
description: Detects exploitation of Microsoft Defender RedSun zero-day (unpatched privilege escalation)
author: RedSheep Security/Stone
date: 2026/04/17
modified: 2026/04/17
references:
- https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/
tags:
- attack.privilege_escalation
- attack.t1548.002
- cve.2026.pending
logsource:
product: windows
service: sysmon
detection:
selection_api:
EventID: 1
CommandLine|contains:
- 'cldapi.dll'
- 'SERIOUSLYMSFT'
selection_file:
EventID: 11
TargetFilename|contains: '\Windows\System32\TieringEngineService.exe'
filter:
Image|contains: '\Windows\servicing\'
condition: selection_api or (selection_file and not filter)
falsepositives:
- Windows Update operations
level: criticalMonitor for Cloud Files API registration with provider name 'SERIOUSLYMSFT'. False positives unlikely for this specific provider name.
T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P2]
UnDefend DoS attack blocks Windows Defender definition updates
Splunk SPL:
index=windows sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode=2000 OR EventCode=2001 OR EventCode=2002) "Definition update" "failed" | eval hours_since_update=round((now()-_time)/3600,1) | where hours_since_update>24 | stats max(hours_since_update) as hours_stale by host | where hours_stale>48Elastic KQL:
event.provider:"Microsoft-Windows-Windows Defender" AND event.code:(2000 OR 2001 OR 2002) AND message:(*failed* AND *definition*)Sigma Rule:
title: Windows Defender Definition Update Failure
id: 7c3e1f4a-8b92-4e5c-af3d-2b4c6d8f9a1e
status: stable
description: Detects Windows Defender definition update failures potentially caused by UnDefend DoS
author: Florian Roth (Nextron Systems)
date: 2022/08/12
modified: 2026/04/17
references:
- https://www.helpnetsecurity.com/2026/04/17/microsoft-defender-zero-days-exploited/
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 2000
- 2001
- 2002
Message|contains:
- 'Definition update failed'
- 'unable to download'
condition: selection
falsepositives:
- Network connectivity issues
- Proxy configuration problems
level: mediumCombine with process creation events for UnDefend.exe. Alert if definitions are >48 hours stale.
T1055 — Process Injection (Execution) [P1]
Post-exploitation via overwritten TieringEngineService.exe system binary
Splunk SPL:
index=sysmon EventCode=1 Image="*\\TieringEngineService.exe" | join type=outer host [search index=sysmon EventCode=11 TargetFilename="*\\TieringEngineService.exe" earliest=-24h | stats latest(_time) as file_modified by host] | eval suspicious=if(file_modified>relative_time(now(),"-1h@h"),1,0) | where suspicious=1 | table host, Image, CommandLine, ParentImage, file_modifiedElastic KQL:
event.code:1 AND process.executable:"*\\TieringEngineService.exe" AND event.provider:"Microsoft-Windows-Sysmon"TieringEngineService.exe execution after recent modification is high-confidence indicator. Baseline normal service behavior first.
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| filename | RedSun.exe |
Primary RedSun exploit executable |
| filename | UnDefend.exe |
DoS tool blocking Defender definition updates |
| filename | FunnyApp.exe |
BlueHammer exploit binary (CVE-2026-33825) |
| filename | z.exe |
Renamed exploit binary variant |
| filename | TieringEngineService.exe |
System file targeted for overwrite by RedSun |
| registry | SERIOUSLYMSFT |
Cloud sync provider name used in exploitation |
IOC Sweep Queries (Splunk):
index=* ("RedSun.exe" OR TargetFilename="*RedSun.exe" OR Image="*RedSun.exe" OR FileName="RedSun.exe") | stats count by index, sourcetype, host | where count>0index=* ("UnDefend.exe" OR TargetFilename="*UnDefend.exe" OR Image="*UnDefend.exe" OR FileName="UnDefend.exe") | stats count by index, sourcetype, host | where count>0index=* ("FunnyApp.exe" OR TargetFilename="*FunnyApp.exe" OR Image="*FunnyApp.exe" OR FileName="FunnyApp.exe") | stats count by index, sourcetype, host | where count>0index=* (Image="*\\z.exe" OR TargetFilename="*\\z.exe" OR FileName="z.exe") | stats count by index, sourcetype, host | where count>0index=sysmon EventCode=11 TargetFilename="*\\System32\\TieringEngineService.exe" NOT Image="*\\Windows\\servicing\\*" | stats count by host, Image, User | where count>0index=* "SERIOUSLYMSFT" | stats count by index, sourcetype, host, _raw | where count>0YARA Rules
SUSP_Defender_RedSun_Exploit_Indicators — Detects RedSun/UnDefend exploit binaries and artifacts
rule SUSP_Defender_RedSun_Exploit_Indicators {
meta:
description = "Detects Microsoft Defender RedSun/UnDefend zero-day exploit indicators"
author = "RedSheep Security/Stone"
date = "2026-04-17"
reference = "https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/"
score = 85
strings:
$s1 = "SERIOUSLYMSFT" ascii wide
$s2 = "cldapi.dll" ascii
$s3 = "TieringEngineService.exe" ascii
$s4 = "Cloud Files API" ascii
$f1 = "RedSun.exe" ascii wide nocase
$f2 = "UnDefend.exe" ascii wide nocase
$f3 = "FunnyApp.exe" ascii wide nocase
$hex1 = {52 65 64 53 75 6E 2E 65 78 65} // RedSun.exe
$hex2 = {55 6E 44 65 66 65 6E 64 2E 65 78 65} // UnDefend.exe
condition:
uint16(0) == 0x5A4D and (
2 of ($s*) or
any of ($f*) or
any of ($hex*)
)
}HKTL_CloudAPI_Abuse — Detects potential abuse of Windows Cloud Files API for privilege escalation
rule HKTL_CloudAPI_Abuse {
meta:
description = "Detects potential abuse of Windows Cloud Files API"
author = "Florian Roth (Nextron Systems)"
date = "2023-07-15"
reference = "Internal Research"
strings:
$api1 = "CfRegisterSyncProvider" ascii
$api2 = "CfConnectSyncRoot" ascii
$api3 = "CfSetPinState" ascii
$dll = "cldapi.dll" ascii
$susp1 = "mklink" ascii
$susp2 = "junction" ascii nocase
condition:
uint16(0) == 0x5A4D and (
($dll and 2 of ($api*)) or
($dll and any of ($susp*))
)
}Suricata Rules
SID 2026041701 — Potential Microsoft Defender RedSun exploit download
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Microsoft Defender RedSun Zero-Day Download"; flow:established,to_server; content:"GET"; http_method; content:"RedSun.exe"; http_uri; fast_pattern; content:"github"; http_host; pcre:"/\/(RedSun|UnDefend|FunnyApp)\.exe$/i"; reference:url,www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/; classtype:attempted-admin; sid:2026041701; rev:1;)SID 2026041702 — GitHub access to Nightmare-Eclipse exploit repository
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GitHub Access to Known Exploit Repository - Nightmare-Eclipse"; flow:established,to_server; content:"GET"; http_method; content:"github.com"; http_host; content:"/Nightmare-Eclipse"; http_uri; reference:url,github.com/Nightmare-Eclipse; classtype:policy-violation; sid:2026041702; rev:1;)Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Sysmon | T1548.002, T1055, T1562.001 | EventID 1 (process creation), EventID 11 (file creation) with reparse point tracking enabled |
| Windows Defender Operational Log | T1548.002, T1562.001 | Event IDs 1116-1117 (detections), 2000-2002 (definition updates) |
| Windows Security Log | T1055 | EventID 4688 (process creation with command line auditing) |
| PowerShell ScriptBlock Logging | T1548.002 | EventID 4104 for Cloud Files API calls via PowerShell |
Sources
- BleepingComputer: New Microsoft Defender 'RedSun' zero-day PoC grants SYSTEM privileges
- Help Net Security: Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild
- Cybersecurity News: Microsoft Defender 0-Day Vulnerability 'RedSun' Enables Full SYSTEM Access
- Picus Security: BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained
- Rapid7: Patch Tuesday - April 2026
- The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
- BleepingComputer: Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days
- GitHub: Nightmare-Eclipse Repository
- Ampcus Cyber: RedSun and UnDefend Zero-Day Exploits Hit Defender
- CloudSEK: RedSun: Windows 0day when Defender becomes the attacker