Cybersecurity Threat Advisory: RedSun exploits Microsoft Defender real-time protection

What is the threat?

RedSun is a local privilege escalation (LPE) vulnerability in Microsoft Defender’s remediation logic for files marked with a cloud tag via the Windows Cloud Files API. Instead of safely quarantining or deleting malicious content, attackers can manipulate Defender to restore the file to its original protected path using elevated privileges. By combining this behavior with NTFS directory junctions, reparse points, and opportunistic locks (oplocks), attackers can redirect Defender’s privileged write operation to overwrite protected system binaries, such as C:\Windows\System32\TieringEngineService.exe. As a result, the Cloud Files Infrastructure service executes attacker‑controlled code with SYSTEM privileges. This allows low‑privileged users to gain full control of the host, enabling persistence, credential dumping, ransomware deployment, and lateral movement without requiring kernel exploits or administrative rights.

Why is it noteworthy?

This threat is noteworthy because it represents a second Defender‑related LPE PoC released by the same researcher and has already been confirmed exploited in the wild. The attack chain is particularly dangerous because it turns a security product’s cloud file‑handling behavior into a reliable mechanism for SYSTEM‑level execution, significantly broadening the risk across Windows environments that use Defender real‑time protection and Cloud Files or cloud tagging.

What is the exposure or risk?

Microsoft Defender real‑time protection becomes exposed to this flaw when attackers involve cloud‑tagged files via the Cloud Files API. Security reports confirm that the PoC works on fully patched April 2026 systems and triggers when Defender remediation performs an unvalidated rewrite or restore to the original path.

The immediate risk is local privilege escalation to SYSTEM, which attackers can leverage for complete host compromise, credential theft, persistence, and ransomware or lateral movement. Evidence‑based indicators include Defender events involving cloud‑tagged files, followed by file restoration or overwrite activity, along with execution of overwritten binaries from user‑writable locations under SYSTEM context.

What are the recommendations?

Barracuda recommends the following to mitigate risk:

Monitor for active exploitation indicators:
- Overwrites of C:\Windows\System32\TieringEngineService.exe, SYSTEM execution tied to Cloud Files Infrastructure.
- User-writable staging binaries (e.g., RedSun.exe in Downloads/Pictures).
- Validate recent Defender cloud-tag alerts followed by restore/overwrite behavior.
Apply all Defender/OS updates and, until Microsoft’s fix is available, consider temporarily limiting or disabling those cloud-file features where feasible.
Restrict local user write/execute paths, and increase monitoring.
Create and rehearse incident response plan specific to RedSun:
- Develop an “Outlook-RCE style” playbook that defines containment steps, including isolation suspected hosts.
- Preserve the malicious email and relevant Outlook/email + endpoint log artifacts.
- Review patching and escalation procedures.
- Review telemetry for suspicious mail-triggered or reply-triggered behavior.
- Rotate and verify credential as needed upon suspected compromise.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

Categories

Tags

Archives