RedSun, BlueHammer, and UnDefend: How Three Unpatched Windows Zero-Days Are Handing Attackers SYSTEM Access on a Silver Platter + Video

Listen to this Post

Featured Image

Introduction

In a dramatic escalation of the ongoing conflict between security researchers and Microsoft, a researcher known as “Chaotic Eclipse” (aka Nightmare-Eclipse) has publicly released proof-of-concept (PoC) exploits for three distinct Windows Defender zero-day vulnerabilities. Dubbed BlueHammer, RedSun, and UnDefend, these flaws—two of which remain unpatched as of April 2026—allow a local, unprivileged attacker to achieve NT AUTHORITY\SYSTEM privileges or completely cripple a system’s defenses, marking a critical moment in endpoint security.

Learning Objectives

  • Understand the technical mechanics behind the BlueHammer (CVE-2026-33825), RedSun, and UnDefend Windows Defender zero-day exploits.
  • Learn to identify indicators of compromise (IOCs) and detection methodologies for these specific privilege escalation attacks.
  • Master hands-on defensive tactics, including log analysis, access control hardening, and mitigation strategies using PowerShell and Windows-native tools.

You Should Know

  1. RedSun: Weaponizing a Defender “Feature” to Overwrite System Files
    The RedSun vulnerability is a particularly elegant and troubling Local Privilege Escalation (LPE) flaw. It exploits an unexpected and “hilarious” behavior within Windows Defender: when the antivirus engine detects a malicious file that has a specific cloud tag, instead of simply quarantining it, Defender rewrites that file back to its original location. The PoC abuses this logic to overwrite a protected system file, effectively allowing an attacker to elevate from a standard user to the SYSTEM account.

    How It Works (High-Level): The attacker places a specially crafted file that Defender tags as “malicious with cloud intelligence.” Defender’s engine, due to a race condition or logical flaw, rewrites the file to a privileged location, overwriting a critical system binary.
    Detection: Monitor for repeated, rapid writes to sensitive system directories (e.g., C:\Windows\System32\drivers\) by the `MsMpEng.exe` (Defender) process. Look for Event ID 4656 and 4663 (File System) with `ObjectName` pointing to core system files.

Hands-On Analysis (PowerShell):

 Monitor for file writes by Defender to critical paths
$rule = @{
Path = "C:\Windows\System32\drivers.sys"
Action = { Write-Host "Potential RedSun overwrite attempt on $($Event.SourceEventArgs.FullPath)" }
}
$watcher = New-Object System.IO.FileSystemWatcher -Property $rule
$watcher.EnableRaisingEvents = $true
  1. BlueHammer (CVE-2026-33825): The TOCTOU That Escalated to SYSTEM
    BlueHammer, now tracked as CVE-2026-33825 (CVSS 7.8), was the first of the trio to be disclosed. This LPE vulnerability resides in the Windows Update Agent COM interface and is triggered by a pending Defender signature update. The exploit uses a classic Time-of-Check to Time-of-Use (TOCTOU) race condition, leveraging an oplock on a Volume Shadow Copy Service (VSS) snapshot mount. This stalls a Defender thread running at SYSTEM level, allowing an attacker to manipulate the state of a file and hijack the privileged execution path.

    How It Works (High-Level): By creating a race condition between the time Defender checks a file’s security and when it acts on it, the attacker redirects the update mechanism to execute arbitrary code with SYSTEM privileges.

Detection:

  1. Look for unusual VSS snapshot creation/deletion events (Event ID 8224, 12289) originating from non-backup software.
  2. Monitor for processes creating oplocks on system directories. A tool like `Sysinternals Handle` or `Process Monitor` can be used.
  3. Hunt for the specific enumeration commands used by attackers pre-exploit: whoami /priv, cmdkey /list, net group.

Post-Mitigation Verification:

 Check if the April 2026 patch (KB5053660 or similar) is installed
wmic qfe list brief | findstr "KB5053660"
 Verify Defender engine and platform version
"C:\Program Files\Windows Defender\MpCmdRun.exe" -version

3. UnDefend: A Denial-of-Service Against Your Primary Defense

Unlike the previous two, UnDefend is not a privilege escalation flaw but a potent Denial-of-Service (DoS) vulnerability. It allows an unprivileged local user to permanently halt Microsoft Defender definition updates without requiring elevated privileges. While Microsoft officially states there is “no way to block Microsoft Defender updates,” UnDefend demonstrates a method to effectively render this statement false. By disabling updates, an attacker can ensure that their malware remains undetected by older signatures, significantly increasing the longevity of a compromise.

How It Works (High-Level): The exact technical details are still emerging, but the exploit likely abuses the Windows Update service permissions or the Defender update scheduling mechanism to disable the update task or corrupt the update channel.

Detection:

  1. Monitor for sudden, unexplained changes to the `Microsoft Antimalware Scheduled Scan` task.
  2. Alert on Event ID 1015 (Microsoft Antimalware has encountered an error trying to update signatures).
  3. Check the `Security-MITRE` logs for Tampering (T1562.001) attempts.

Defensive Hardening (PowerShell):

 Re-enable Defender scheduled tasks if disabled
Get-ScheduledTask -TaskName "Microsoft Antimalware Scheduled Scan" | Enable-ScheduledTask
 Force an immediate signature update
Update-MpSignature
 Set Tamper Protection via Registry (requires reboot)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 5

4. The Full Attack Chain and Hunt Methodology

Threat intelligence from Huntress shows that these exploits are being actively chained together in the wild. A typical attack flow from April 10th onward looks like this:
1. Initial Access: Attacker gains a low-privilege foothold via phishing or a dropper.
2. Enumeration: Runs whoami /priv, cmdkey /list, and `net group` to understand the environment.
3. Defense Evasion: Executes the UnDefend PoC to halt Defender signature updates, preventing detection of later tools.
4. Privilege Escalation: Executes BlueHammer (or the newer RedSun) to gain `NT AUTHORITY\SYSTEM` privileges.
5. Post-Exploitation: Dumps credentials, installs backdoors, or moves laterally.

IOCs to Hunt for:

Process creation events for `mpcmdrun.exe -RemoveDefinitions` or `-SignatureUpdate` with unusual arguments.
Parent-child process relationships where `msmpeng.exe` spawns a `cmd.exe` or powershell.exe.
File creation in `C:\ProgramData\Microsoft\Windows Defender\LocalCopy\` or similar staging directories.

What Undercode Say

  • Microsoft’s Disclosure Policy is Fueling the Fire: The researcher’s decision to publicly drop three 0-days in two weeks was a direct response to frustration with Microsoft’s coordinated vulnerability disclosure process. This incident will force a long-overdue industry conversation about researcher relations and responsible disclosure timelines.
  • Defender is No Longer a “Set and Forget” Solution: These exploits, particularly UnDefend, demonstrate that Microsoft’s built-in AV cannot be solely trusted to defend itself. Organizations must implement additional layers of monitoring, such as EDR, to watch for tampering with the security stack itself. Relying solely on Defender’s default configuration in a modern, high-stakes environment is a significant risk.

Prediction

This series of leaks will likely accelerate a “tribal knowledge” shift in the threat actor community. Expect to see weaponized versions of these exploits incorporated into major penetration testing frameworks (e.g., Cobalt Strike, Metasploit) within the next 30-60 days. This will lower the barrier to entry for less-skilled attackers, leading to a surge in opportunistic attacks using these LPEs. Consequently, Microsoft will be forced to issue an out-of-band (OOB) emergency patch for RedSun and UnDefend, likely within the next two weeks, as the risk of widespread exploitation becomes too great to ignore for their Patch Tuesday cycle.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Usman Sikander13 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky