RedSun Exploit: How Hackers Abuse Windows Defender to Gain SYSTEM Privileges – and How to Stop It + Video

By /

Listen to this Post

Featured Image

Introduction

A proof-of-concept (PoC) exploit named RedSun was recently released on GitHub, demonstrating a local privilege escalation from a non‑privileged user to SYSTEM on Windows by abusing Microsoft Defender Antivirus’s detection engine. The attack forces Defender to detect an EICAR test string, then leverages that detection to overwrite a critical system file (TieringEngineService.exe) via a race condition and oplock, ultimately achieving arbitrary file write with elevated privileges.

Learning Objectives

  • Understand the technical mechanism behind the RedSun exploit (race condition, oplock, Defender detection abuse)
  • Implement KQL‑based detection queries to identify suspicious file creations and named pipe activity
  • Apply mitigation strategies including SmartScreen hardening, folder permission reviews, and EDR behavioral rules

You Should Know

1. Anatomy of the RedSun Exploit – Step‑by‑Step

The exploit works by forcing Windows Defender to act on a malicious file that the attacker controls. Below is the core workflow:

  1. Trigger a Defender detection – The attacker writes a file containing the EICAR test string into %AppData%\Local\Temp\RS-. This causes Defender to quarantine the file.
  2. Abuse the detection callback – Defender’s internal process attempts to move the detected file to quarantine. The exploit sets an oplock (opportunistic lock) on the target system file `C:\Windows\System32\TieringEngineService.exe` before Defender overwrites it.
  3. Race condition – By controlling the timing, the attacker redirects Defender’s write operation to overwrite `TieringEngineService.exe` with arbitrary content (e.g., a malicious DLL or executable).
  4. SYSTEM privilege execution – `TieringEngineService.exe` runs as NT AUTHORITY\SYSTEM. After overwriting it, the attacker can trigger its execution (e.g., via service start) to gain full system control.

Verification commands (Windows – admin not required for the vulnerable step):

 Check if TieringEngineService.exe exists and its permissions
icacls C:\Windows\System32\TieringEngineService.exe

List running instances (requires admin)
sc query TieringEngineService

Monitor file system changes (Sysinternals Process Monitor recommended)
procmon.exe /AcceptEula /BackingFile C:\temp\Log.pml
  1. Detection Using KQL – Queries from the Post

The original author released two KQL detection queries. Use these in Microsoft Sentinel or Defender for Endpoint (MDE) Advanced Hunting.

Detection 1: Named Pipe Abuse

RedSun creates a named pipe for synchronization. Run this query to detect suspicious pipe names:

DeviceEvents
| where ActionType == "PipeEvent"
| extend PipeName = tostring(parse_json(AdditionalFields).PipeName)
| where PipeName contains @"\RS-"
| project Timestamp, DeviceName, AccountName, PipeName, InitiatingProcessCommandLine

Detection 2: TieringEngineService Created in AppData

The exploit may drop a copy of the service binary into a user‑writable location:

DeviceFileEvents
| where FolderPath contains @"\AppData\Roaming"
| where FileName == "TieringEngineService.exe"
| project Timestamp, DeviceName, AccountName, FolderPath, InitiatingProcessCommandLine

Detection 3: EICAR File Creation in Temp (baseline)

DeviceFileEvents
| where FolderPath contains @"\Temp\RS-"
| where FileName has_any ("eicar", "test")

3. Mitigation – Hardening Windows Defender & SmartScreen

Because the exploit relies on the victim running the compiled PoC executable, proactive controls can block or limit it.

  • Enable SmartScreen for App & Web – SmartScreen (both app reputation and web protection) will warn or block the download/execution of the known malicious hash 57A70C383FEB9AF60B64AB6768A1CA1B3F7394B8C5FFDBFAFC8E988D63935120.
  • Block EICAR‑based detections from triggering file overwrite – This is not directly configurable, but you can restrict write permissions to `C:\Windows\System32` for non‑admin users using Windows Defender Application Control (WDAC) or AppLocker.
  • Set Group Policy to prevent non‑admin users from starting the Tiering Engine Service: 
    Computer Configuration > Windows Settings > Security Settings > System Services > TieringEngineService → Startup: Disabled

PowerShell to review vulnerable folder permissions:

 Check ACL of the Temp\RS- folder (created by exploit)
$path = "$env:LOCALAPPDATA\Temp\RS-"
if (Test-Path $path) { Get-Acl $path | fl } else { Write-Host "Folder not present" }
  1. Simulating the Attack for Testing (Authorized Environment Only)

To validate your detections, you can compile and run the RedSun PoC in an isolated lab.

  1. Download the PoC from the original GitHub (use the full link after redirect: `https://github.com/jkerai1/RedSun` – note that the post’s LinkedIn link resolves there).

2. Compile using Visual Studio (C++ project).

3. Disable SmartScreen temporarily in the lab VM.

  1. Execute as a non‑admin user. If successful, you will see a SYSTEM command prompt.
  2. Verify detection – Check your SIEM/KQL queries for alerts.

Important: The exploit will fail on fully updated MDE environments due to missing `CloudFilterRegisterSyncRoot` availability, but standalone Windows Defender (e.g., on Windows 10/11 Home/Pro without EDR) remains vulnerable.

5. Hardening Against Named Pipe and Oplock Abuse

Named pipes are legitimate IPC mechanisms, but attackers abuse them for synchronization in race conditions. Use Sysmon (Event ID 17, 18) to log pipe creation.

Sysmon configuration snippet to monitor suspicious pipe names:

<Sysmon>
<EventFiltering>
<PipeEvent onmatch="include">
<PipeName condition="contains">RS-</PipeName>
</PipeEvent>
</EventFiltering>
</Sysmon>

To detect oplock requests (advanced), enable kernel callbacks via a minifilter driver or use Process Monitor with a filter:

`Operation contains “FileSystemControl”` and `Detail contains “oplock”`.

  1. Distinguishing MDE from Standalone Defender – A Critical Nuance

As noted in the post, Microsoft Defender for Endpoint (MDE) includes additional sensors and cloud protection that break this exploit. The PoC fails on MDE because `CloudFilterRegisterSyncRoot` (a necessary API) is not available in the advanced hunting context. However, standalone Windows Defender (the AV that ships with consumer Windows) is vulnerable. Organizations using only built‑in Defender without EDR should prioritize detection and mitigation immediately.

Check your environment:

  • Run `Get-MpComputerStatus` in PowerShell. If `AntispywareEnabled` is `True` but no MDE sensor GUID appears in DeviceStatus, you are on standalone Defender.

7. Forensic Indicators and Hunting

Use the following IOCs to hunt for past exploitation:

  • File hashes (original PoC): `57A70C383FEB9AF60B64AB6768A1CA1B3F7394B8C5FFDBFAFC8E988D63935120`
  • File paths created:
    – `%AppData%\Local\Temp\RS-\` (any file containing EICAR)
    – `%AppData%\Roaming\TieringEngineService.exe`
    – Named pipe name pattern: `\\.\pipe\RS-`
    – Event log entries (Windows Event ID 4688) showing execution of `TieringEngineService.exe` from a non‑system path.

PowerShell one‑liner to scan for the suspicious service binary:

Get-ChildItem -Path C:\Users\AppData\Roaming -Filter TieringEngineService.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-FileHash $_.FullName -Algorithm SHA256 }

What Undercode Say

  • Key Takeaway 1: RedSun demonstrates that even trusted security components (Defender) can become attack vectors when race conditions and file system operations are not properly hardened.
  • Key Takeaway 2: String‑based detections (e.g., looking for “EICAR”) are trivial to evade; behavioral detection focusing on pipe creation, file overwrite attempts, and service binary placement in user‑writable directories is essential.
  • Analysis: This exploit highlights a recurring class of vulnerabilities – privilege escalation via “living off the land” (LOL) techniques combined with AV engine quirks. While MDE customers are protected, the vast number of home and small‑business users running standalone Defender remain at risk. The attack’s reliance on the EICAR string is a double‑edged sword: it makes the PoC easy to test but also easy to modify (swap the signature). Effective defense requires layering: SmartScreen, WDAC, and continuous KQL hunting. Organizations should treat any detection alert from the provided queries as high severity and immediately investigate for lateral movement or persistence.

Prediction

Within the next six months, we expect to see weaponized variants of RedSun that replace the EICAR string with a benign but Defender‑detectable signature (e.g., a custom malware hash) to evade simple hash‑based blocks. Attackers will integrate the technique into post‑exploitation frameworks like Cobalt Strike or Sliver, offering one‑click SYSTEM escalation on misconfigured Windows endpoints. Consequently, Microsoft will likely patch the race condition by hardening the quarantine path – possibly by validating file handles before overwrite or removing non‑admin write access to TieringEngineService.exe. Until then, blue teams must prioritize deploying the KQL detections and enforcing SmartScreen/AppLocker rules as emergency controls.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jay Kerai – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: