The Defender Becomes the Door: BlueHammer (CVE-2026-33825), RedSun, and UnDefend

Executive Summary

In April 2026, three zero-day vulnerabilities targeting Microsoft Defender, the default endpoint protection platform shipping with every modern version of Windows and protecting an estimated 1.4 billion devices worldwide, were publicly weaponized within days of proof-of-concept release. An independent researcher operating under the aliases Chaotic Eclipse / Nightmare-Eclipse published three standalone tools to GitHub: BlueHammer, RedSun, and UnDefend. Within 48 hours, Huntress Labs and several other MDR providers confirmed operational use by human-operated intrusion sets, most often following compromised SSL-VPN credentials.

The defining property of this exploit family is that it does not rely on a kernel driver, a memory-corruption primitive, a signed-driver BYOVD trick, or administrative privileges. Instead, it abuses the fact that Microsoft Defender runs its file-system operations with SYSTEM privilege and performs those operations on paths that a low-privileged local user can manipulate between check and use. The attacker chains entirely legitimate, documented Windows primitives:

• Batch opportunistic locks (oplocks) to pause Defender's SYSTEM thread on demand
• NTFS mount-point reparse points (junctions) to redirect a path after Defender has resolved it
• Object Manager symbolic links (\??\ namespace) to redirect deeper into the kernel's namespace
• Cloud Files API (cldapi.dll) to mark files as cloud placeholders that Defender treats with special rollback semantics
• Volume Shadow Copy Service (VSS) snapshots to obtain stable, readable copies of otherwise locked registry hives
• COM activation of the Storage Tiers Management service (TieringEngineService.exe) to trigger execution of an attacker-planted binary as SYSTEM

The outcome of the chain:

Huntress confirmed all three tools chained in real enterprise intrusions by April 16, 2026. CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities (KEV) catalog within a week. Attackers staged renamed PoC binaries (FunnyApp.exe, RedSun.exe, z.exe) in user-writable directories such as %USERPROFILE%\Pictures or Downloads\<two-letter>\ after logging in over SSL-VPN with stolen credentials.

AegisByte's top-line recommendations

1. Patch BlueHammer immediately. Verify your Antimalware Platform version is ≥ 4.18.26050.3011 across every endpoint.
2. Assume RedSun is exploitable on every fully patched endpoint in your fleet. There is no vendor fix as of April 22, 2026.
3. Baseline C:\Windows\System32\TieringEngineService.exe via SHA-256 file integrity monitoring fleet-wide, and alert on any unexpected change.
4. Block execution from user-writable directories (%USERPROFILE%\Downloads, Pictures, %TEMP%, %LOCALAPPDATA%, %PROGRAMDATA%\<nonstandard>) using WDAC or AppLocker.
5. Alert on directory junctions pointing into C:\Windows\System32 or into \Device\HarddiskVolumeShadowCopyN\… created from a standard-user-integrity process.
6. Monitor Defender update health independent of the Defender UI. Signature age > 48 hours on a reachable host is a first-class alert condition, not a cosmetic warning.
7. Correlate defenses at the network layer. If RedSun or UnDefend have neutralized or blinded Defender on a host, EDR telemetry from that host cannot be trusted.
8. Treat a single confirmed SSL-VPN credential compromise as a SYSTEM-level event on every host the credential can reach.

Disclosure Context

Windows Defender is not an optional add-on. Since Windows 10, it has been the default, kernel-integrated antivirus for the overwhelming majority of Windows hosts, including Windows 11 and Windows Server 2019 through 2025. Defender runs as MsMpEng.exe, a Protected Process Light (PPL) service with SYSTEM privilege. Its job is to read, scan, and, when necessary, write, quarantine, or restore files on behalf of the operating system's trust boundary. Every one of those file operations is performed as NT AUTHORITY\SYSTEM against paths that, in many cases, a non-privileged user can influence.

For years, the security community (notably James Forshaw at Google Project Zero) has published research on the symlink-race class of vulnerabilities: when a privileged process naïvely resolves a path that an unprivileged user controls, that user can redirect the privileged operation to a different target by swapping in an NTFS junction, an Object Manager symbolic link, or a hard link between the check and the use. Defender is uniquely exposed to this class because it is supposed to touch files all over the filesystem, user directories, cloud-sync folders, system paths. The very mandate that makes it useful makes it a rich attack surface.

Timeline

• Early April 2026, The researcher publishes BlueHammer (FunnyApp.cpp) to GitHub, framing the release as a protest against prior MSRC dismissals.
• ~April 10, 2026, First observed in-the-wild exploitation of BlueHammer reported to Huntress Labs.
• April 14, 2026, Microsoft issues a cumulative Antimalware Platform update addressing BlueHammer. Credit is given to Zen Dodd, Yuanpei XU, and others. The fix ships as part of the Defender engine update, not a standalone OS patch, which means endpoints with a functioning Defender update pipeline receive it automatically, and endpoints whose pipeline has been interfered with (e.g., by UnDefend) do not.
• April 15, 2026, The researcher publishes RedSun (RedSun.cpp), explicitly positioning it as a bypass of the BlueHammer patch. Will Dormann and other independent researchers confirm successful exploitation on fully patched Windows 10 and 11 systems.
• April 16, 2026, Huntress Labs publishes telemetry confirming RedSun operational use following SSL-VPN credential compromise at multiple customers.
• April 17, 2026, Blackswan Cybersecurity issues a formal threat advisory marking RedSun and UnDefend as critical active threats.
• April 18–22, 2026, Vectra AI, securityonline.info, and others publish independent analyses. CISA adds CVE-2026-33825 to the KEV catalog.

The compressed window, roughly ten days from public PoC to mass exploitation, is itself a finding. The modern vulnerability lifecycle no longer offers the weeks or months between disclosure and in-the-wild use that blue teams historically planned around.

Threat Landscape, Why the AV Engine is the Juiciest Target

April 2026 continues a trend from 2024–2025 in which logical vulnerabilities in high-privilege user-mode services, not kernel memory-corruption bugs, dominate the Windows local privilege-escalation landscape. The highest-value LPE primitives on a modern Windows host are no longer in ntoskrnl.exe; they are in privileged services that freely touch files and registry keys on behalf of SYSTEM. Windows Update, the Installer, the diagnostic hub, the cloud-sync engine, Windows Error Reporting, and now Defender itself, are, from an attacker's perspective, more reliable than any kernel exploit because they do not require bypasses of Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), or kernel Control Flow Guard.

Defender has three properties no other privileged service combines:

1. It reads and writes on paths influenced by unprivileged users (temp directories, user profiles, cloud-sync folders).
2. It runs as SYSTEM with PPL, making its threads both unusually powerful and unusually hard for defenders to introspect.
3. It has remediation semantics, quarantine, rollback, restore, that explicitly involve moving or rewriting files, creating natural write-primitive surfaces.

Business-impact framing for CISOs

The exploit chain falsifies three assumptions many organizations bake into their risk model:

• "If Defender is reporting healthy, the host is protected." UnDefend falsifies this. Defender reports healthy while its definitions age silently.
• "A non-admin user cannot escalate to SYSTEM without chaining a public kernel CVE." BlueHammer and RedSun falsify this. No kernel exploit, no admin rights, no driver signing.
• "EDR telemetry from the host is a reliable source of truth about the host." Once SYSTEM is obtained, the attacker is inside the same trust boundary as the EDR agent.

The chain converts any stolen low-privilege credential, a help-desk account, a contractor, an SSL-VPN login, into an effective SYSTEM-capable foothold on every domain-joined machine that credential can reach.

Microsoft Defender Architecture Primer

Defender's runtime consists of, at minimum:

• MsMpEng.exe, the Antimalware Service Executable. Runs as SYSTEM, PPL, under the WinDefend service. Hosts the real-time scanning engine (mpengine.dll), signature matching, remediation, and cloud lookup.
• MpCmdRun.exe, command-line utility for signature updates, scheduled scans, log rotation.
• NisSrv.exe, the Network Inspection Service.
• SecurityHealthService.exe / SecurityHealthSystray.exe, user-facing status reporting.
• Cloud Files Infrastructure (cldflt.sys, cldapi.dll), not strictly Defender, but deeply involved in cloud-tagged remediation.
• TieringEngineService.exe, Storage Tiers Management; runs as SYSTEM, activated on demand via COM, and is the specific binary RedSun overwrites.

The Antimalware Service is trusted to open any file for read, write to C:\ProgramData\Microsoft\Windows Defender\, restore or roll back files on cloud-remediation requests, and execute its own helper binaries with SYSTEM privileges. Each of those trusted operations is a potential gadget if path handling is not bulletproof.

The real-time remediation path

1. The kernel filter driver (WdFilter.sys) intercepts the I/O.
2. The engine in MsMpEng.exe inspects the file and consults the signature set.
3. If remediation is required, it chooses: quarantine, delete, or, for cloud-tagged files, rewrite/restore the file to its original location with elevated privileges.
4. The remediation action is performed by the SYSTEM-privileged engine thread using kernel-mode file primitives, against a path that the user-mode process originally controlled.

Step 4 is where the TOCTOU window lives. Between the engine's decision to act on "the file at path X" and the actual write to X, an unprivileged user can interpose an NTFS junction or Object Manager symlink to redirect X somewhere else.

PPL implications

MsMpEng.exe runs as PPL, so even administrative user-mode processes cannot inject code into it, read its memory via OpenProcess(VM_READ), or debug it. Once an attacker has converted Defender's privileged write into an overwrite of TieringEngineService.exe, defenders cannot introspect MsMpEng.exe to understand what it did without booting into WinRE or similar offline analysis.

Windows Primitives Weaponized by the Chain

Each of the three tools recombines the same five primitives. Defenders who internalize them will recognize not only this chain but future variants.

A batch oplock is a cache-coherency mechanism whose attacker-useful property is that when another process attempts to access the file, the kernel pauses the accessor and notifies the oplock holder via asynchronous I/O completion. The holder performs arbitrary work while the accessor is frozen, then releases the lock when ready. Oplocks are not malicious per se, SMB clients, editors, and indexers use them legitimately, but a batch oplock requested by a non-privileged user-mode process on a file that triggers AV scanning is, in enterprise EDR telemetry, extremely rare. This is a first-class detection opportunity.

An NTFS junction is a directory-level reparse point that transparently redirects file-system requests to another directory. Critically, junctions can be created by any user on directories the user owns, they do not require SeCreateSymbolicLinkPrivilege. That property is precisely what makes them a weapon against privileged services.

All five primitives are legitimate, documented, supported Windows features. The vulnerability is in how Defender composes them, not in the primitives themselves.

BlueHammer (CVE-2026-33825), Technical Deep Dive

Microsoft's official description

From the MSRC advisory:

"Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally."

• CVSS v3.1 Base Score: 7.8 (Important)
• Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• CWE: CWE-1220 (Insufficient Granularity of Access Control)
• Affected component: Microsoft Antimalware Platform
• Affected versions: Antimalware Platform ≤ 4.18.26020.6
• Fixed in: Antimalware Platform 4.18.26050.3011 (April 14, 2026)
• Exploitation status at patch release: Active in the wild
• Microsoft-credited researchers: Zen Dodd, Yuanpei XU, et al. (Chaotic Eclipse / Nightmare-Eclipse claims independent prior reporting that was dismissed; this is disputed.)

Root cause

BlueHammer is a classic TOCTOU race in Defender's signature-update / remediation workflow. When Defender (as SYSTEM) performs a file operation on a path inside a user-writable staging area, the path is resolved before the oplock's break is processed and used afterwards. Between the two, the user replaces the staging directory with a junction to a directory they do not have permission to read, and installs an Object Manager symlink that further redirects into a VSS snapshot. Defender's resulting privileged read lands on a registry hive (SAM, SYSTEM, SECURITY) inside the VSS snapshot, and the read content is observable by the attacker through a side channel.

The researcher's published filestoleak[] array in FunnyApp.cpp shows self-imposed restraint: only the SAM hive is enabled by default, with SYSTEM and SECURITY commented out. With the full set enabled, the attacker obtains SAM (local NT hashes), SYSTEM (bootkey), and SECURITY (LSA secrets), sufficient for offline NTLM hash cracking, pass-the-hash to local admin on other hosts, and extraction of cached domain credentials, DPAPI master keys, and service-account credentials.

Attack flow

1. Locate a VSS snapshot containing a recent copy of C:\Windows\System32\config\SAM. On domain-joined and consumer workstations this is almost always present due to System Restore, VSS daily schedules, or the shadow copy taken before the last Windows Update.
2. Stage a bait file under the user profile that will trigger Defender (e.g., containing an EICAR string). Defender does not need to be deceived into believing the file is malicious for its payload, it only needs to open the file as SYSTEM.
3. Request a batch oplock on the bait file with FILE_FLAG_OVERLAPPED.
4. Wait for Defender to access the bait file. With RTP enabled, this typically happens within milliseconds.
5. The kernel pauses Defender's thread on the oplock break and signals the attacker's OVERLAPPED event. The attacker is now inside a deterministic race window.
6. The attacker swaps the reparse points:
   • Rename the bait directory aside.
   • Create a new directory at the same name.
   • Install a mount-point reparse point pointing into \??\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\Windows\System32\config.
   • Install an Object Manager symlink that pins the final target to \??\GLOBALROOT\...\SAM.
7. Close the oplock handle. Defender's paused thread resumes and completes its I/O on the redirected path, reading SAM from the VSS snapshot under SYSTEM privilege.
8. Recover the content Defender read, either by observing Defender's subsequent remediation write to a user-controlled path or via a secondary channel the PoC sets up.
9. Offline: impacket's secretsdump.py or equivalent parses the hives to emit NT hashes, bootkey, LSA secrets, cached domain credentials.
10. Pass-the-hash or crack-and-replay to obtain SYSTEM on this or neighboring hosts.

Representative PoC excerpts (restraint version)

We reproduce only non-load-bearing excerpts sufficient for detection engineers to recognize the pattern in source-level artifacts.

Target-selection array (verbatim from the public repo, preserved to aid IOC fidelity):

const wchar_t* filestoleak[] = {
    L"\\Windows\\System32\\Config\\SAM"
    /*, L"\\Windows\\System32\\Config\\SYSTEM"
    ,   L"\\Windows\\System32\\Config\\SECURITY" */
};

The commented-out entries are the author's self-imposed restraint. A derivative that uncomments them is strictly more dangerous and should be considered an evolution of the same family.

Oplock request (pattern, not literal):

HANDLE hBait = CreateFileW(baitPath,
    GENERIC_READ | GENERIC_WRITE,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    NULL, OPEN_EXISTING,
    FILE_FLAG_OVERLAPPED, NULL);

OVERLAPPED ov = { 0 };
ov.hEvent = CreateEventW(NULL, FALSE, FALSE, NULL);

DeviceIoControl(hBait,
    FSCTL_REQUEST_BATCH_OPLOCK,
    NULL, 0, NULL, 0, NULL, &ov);

WaitForSingleObject(ov.hEvent, INFINITE);

Reparse-swap (pattern, condensed):

RemoveDirectoryW(baitDir);
CreateDirectoryW(baitDir, NULL);

HANDLE hDir = CreateFileW(baitDir,
    GENERIC_WRITE | FILE_WRITE_ATTRIBUTES,
    0, NULL, OPEN_EXISTING,
    FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
    NULL);

REPARSE_DATA_BUFFER rdb = { 0 };
rdb.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
// PathBuffer: \??\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\...
DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT,
    &rdb, /* size */, NULL, 0, NULL, NULL);

Exploitation prerequisites

• A standard local user account (any group membership).
• Defender real-time protection enabled (default).
• At least one VSS snapshot present (System Restore, backup tooling, or Windows Update rollback points satisfy this on virtually all installs).
• An unpatched Antimalware Platform (≤ 4.18.26020.6).

No network connectivity, no admin rights, no prior elevation, no kernel vulnerability.

Why the patch works, and why it is narrow

Public reverse-engineering of the patch indicates the fix revalidates the target path after oplock release and rejects paths that traverse a reparse point added during the window. This is not a structural fix to the TOCTOU class of bug in Defender's I/O, it is a tactical fix to this particular flow, which is why RedSun, targeting a different flow, remains exploitable.

RedSun, Technical Deep Dive (Unpatched)

Author's framing

The RedSun.cpp repository README states, in paraphrase:

"When Windows Defender realizes that a malicious file has a cloud tag … the antivirus, which would normally quarantine or delete the file, decides that it is a good idea to just rewrite the file it found again to its original location. This unvalidated write, from SYSTEM, is the entire vulnerability."

Where BlueHammer is a privileged read primitive, RedSun is a privileged write primitive. The target of the write is C:\Windows\System32\TieringEngineService.exe. Once that binary is overwritten, COM-activating the Storage Tiers Management service (CLSID {50d185b9-fff3-4656-92c7-e4018da4361d}) executes attacker code as SYSTEM.

Why the BlueHammer patch does not fix RedSun

The BlueHammer patch closed the TOCTOU window in Defender's signature-update / VSS-adjacent flow. RedSun uses Defender's Cloud Files remediation flow, a structurally different code path that performs its own file rewrite under SYSTEM privilege and does not share the patched path-resolution logic. A true fix for RedSun requires either (a) removing or substantially constraining Defender's "rewrite the file to its original location" behavior for cloud-tagged remediation targets, (b) applying the same post-oplock revalidation to this flow, or (c) running the rewrite under an impersonated user token rather than SYSTEM. None of these are in the April 14 patch.

Attack flow

1. Create a working directory %TEMP%\RS-{GUID}\.
2. Stage a bait file named TieringEngineService.exe whose content contains a reversed EICAR string. The name is chosen so that when Defender's rewrite is redirected into System32, the overwrite targets the real system binary.
3. Register a Cloud Files sync root via CfRegisterSyncRoot with a provider name the PoC supplies (public variants have used strings like SERIOUSLYMSFT). Create a placeholder-backed file covering the bait file via CfCreatePlaceholders.
4. Reverse the EICAR string at runtime and write it into the bait file. This triggers Defender RTP.
5. Request a batch oplock on the bait file.
6. Defender's SYSTEM thread opens the file; oplock breaks.
7. Inside the break window, the PoC renames the working directory aside, recreates it as a mount-point reparse point targeting C:\Windows\System32\, and arranges the attacker payload bytes to be what Defender "restores" via the cloud-remediation rewrite.
8. Close the oplock handle. Defender resumes and performs its cloud-remediation rewrite, which now lands, through the junction, on C:\Windows\System32\TieringEngineService.exe, overwriting the legitimate system binary with attacker payload. The write is performed by SYSTEM. ACLs on System32 do not stop it because the writer is SYSTEM.
9. The PoC instantiates a COM object that activates the Storage Tiers Management service. services.exe launches TieringEngineService.exe, now the attacker's payload, under LocalSystem.
10. The payload spawns conhost.exe (or any chosen follow-on) as a SYSTEM-integrity process.

RedSun.cpp function-level map

Windows APIs invoked

• Native: NtOpenDirectoryObject, NtQueryDirectoryObject, NtCreateFile, NtSetInformationFile
• File system: CreateFileW, DeviceIoControl, CreateNamedPipe, GetNamedPipeServerSessionId
• Tokens: OpenProcessToken, DuplicateTokenEx, SetTokenInformation, CreateProcessAsUserW
• Cloud Files: CfRegisterSyncRoot, CfConnectSyncRoot, CfCreatePlaceholders, CfUpdateSyncProviderStatus
• Reparse: FSCTL_SET_REPARSE_POINT, FSCTL_REQUEST_BATCH_OPLOCK

RedSun remains 100% reliable on fully patched Windows 10 and 11 as of the publication date.

UnDefend, Defense-Evasion / Denial-of-Service

UnDefend is a ~452-line C++ tool that, running as a standard user, progressively blinds Defender while its UI continues to report "healthy." It does not elevate privileges; its job is to keep Defender's definitions and platform binaries stale so that freshly published signatures, including, notably, the BlueHammer patch, never reach the endpoint.

UnDefend stacks four independent locking mechanisms:

1. ReadDirectoryChangesW locks on the signature-update staging directory (C:\ProgramData\Microsoft\Windows Defender\Definition Updates\). The handle is opened with share modes that hold the directory in a state the update engine cannot atomically swap.
2. Service status notifications on WinDefend and related services, creating subscription locks that prevent clean service state transitions during platform updates.
3. File locks on backup copies of definition files so that the engine's fallback/rollback logic loops when it tries to reconcile staging state.
4. A MRTWorkerThread-style worker that repeatedly invokes the Malicious Software Removal Tool code path, keeping engine threads busy and eating the time window when updates would otherwise apply.

None of the four mechanisms require administrative privileges. None of them modify Defender configuration. None of them disable the service. The Defender UI, driven by SecurityHealthService.exe and the signature-freshness heuristics, continues to report green for a significant window while the protection surface silently decays. On unpatched hosts, this window is all the attacker needs to drop BlueHammer or RedSun and complete the chain.

Implication for defenders: signature age is not a cosmetic metric. Signature age > 48 hours on a reachable host is a first-class alert condition.

The Combined Attack Chain

Observed Huntress/Vectra pattern:

1. Initial access via SSL-VPN (commonly FortiGate) using purchased or harvested credentials.
2. PoC drop: renamed binaries (FunnyApp.exe, RedSun.exe, z.exe) land in %USERPROFILE%\Pictures, Downloads\<2-char>\, or %TEMP%.
3. UnDefend first to block the BlueHammer patch from arriving on hosts not yet updated.
4. BlueHammer (if unpatched) for rapid credential harvest, or RedSun (always) for SYSTEM code execution on patched hosts.
5. Credential dump via offline parsing of leaked hives, or direct SYSTEM-integrity follow-on: lsass dumping, ntds.dit staging on domain controllers, Kerberoasting, pass-the-hash lateral movement.
6. Ransomware staging or persistent backdoor deployment at SYSTEM integrity, often with tamper-protection of the overwritten TieringEngineService.exe for persistence across reboots.

Detection Engineering

Behavioral indicators (high-signal)

• Directory junction with reparse tag IO_REPARSE_TAG_MOUNT_POINT created by a medium-integrity process whose target path begins with \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy or resolves inside C:\Windows\System32.
• Batch oplock request (FSCTL_REQUEST_BATCH_OPLOCK) from a non-system process on a file in a user profile directory that subsequently triggers MsMpEng.exe activity.
• SHA-256 change on C:\Windows\System32\TieringEngineService.exe without a corresponding Windows Update transaction in CBS.log / setupapi.dev.log.
• CfRegisterSyncRoot call from a non-Microsoft, non-signed sync provider, especially with bespoke provider strings (e.g., SERIOUSLYMSFT) or anomalous ProviderId GUIDs.
• Defender signature age > 48h on a host with reachable update connectivity, coincident with standard-user processes holding handles on Definition Updates\* or MpCmdRun.exe restart-loops.
• COM activation of the Storage Tiers Management class (CLSID_StorageTiersManagement, {50d185b9-fff3-4656-92c7-e4018da4361d}) initiated by a user-session process rather than by the storage stack.

Example Sigma rule (junction into System32 from user context)

title: NTFS Mount-Point Junction Targeting System32 From Standard User
id: 9b2f4e7d-redsun-junction
status: experimental
description: Detects creation of an NTFS mount-point reparse point whose
  target path traverses into C:\Windows\System32 from a process running
  at medium integrity. Associated with BlueHammer/RedSun TOCTOU chains.
logsource:
  product: windows
  category: file_event
detection:
  selection:
    EventID: 4663
    ObjectType: File
    AccessMask: '0x40'  # WriteAttributes / SetReparse
    ObjectName|contains:
      - '\\Windows\\System32'
      - '\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
  filter_system:
    SubjectUserSid|startswith: 'S-1-5-18'  # exclude SYSTEM
  condition: selection and not filter_system
level: high
tags:
  - attack.privilege_escalation
  - attack.t1548

Example KQL (Microsoft Defender for Endpoint)

DeviceFileEvents
| where FolderPath has_any ("\\Windows\\System32\\TieringEngineService.exe")
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessAccountName !in~ ("system","trustedinstaller")
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessAccountName, SHA256, FolderPath

Example YARA rule (detect PoC-family strings and API fingerprints)

rule RedSun_BlueHammer_PoC_Family_2026
{
  meta:
    author = "AegisByte Research"
    description = "Heuristic match for Chaotic Eclipse / Nightmare-Eclipse PoC family"
    date = "2026-04-22"
    severity = "critical"
  strings:
    $cf1 = "CfRegisterSyncRoot" ascii
    $cf2 = "CfCreatePlaceholders" ascii
    $oplock = "FSCTL_REQUEST_BATCH_OPLOCK" ascii
    $reparse = "IO_REPARSE_TAG_MOUNT_POINT" ascii
    $vss = "HarddiskVolumeShadowCopy" ascii wide
    $tier = "TieringEngineService.exe" ascii wide
    $provider1 = "SERIOUSLYMSFT" ascii wide
    $filestoleak = "filestoleak" ascii
  condition:
    uint16(0) == 0x5A4D and
    filesize < 4MB and
    (
      (3 of ($cf1, $cf2, $oplock, $reparse) and ($tier or $vss)) or
      ($provider1 or $filestoleak)
    )
}

Splunk hunt for stale Defender signatures

Mitigation & Hardening Recommendations

• Patch BlueHammer. Verify Antimalware Platform ≥ 4.18.26050.3011 across the fleet. For air-gapped or update-stalled hosts, stage the platform update manually via MpCmdRun.exe -SignatureUpdate and verify the version in Windows Security → Virus & threat protection → Protection updates.
• Baseline TieringEngineService.exe with a fleet-wide SHA-256 capture. File Integrity Monitoring on that specific path is mandatory.
• Enable Sysmon with at least Event IDs 11 (FileCreate), 15 (FileCreateStreamHash), 22 (DNSQuery), and 26 (FileDeleteDetected). Ensure config captures System32\Tiering*.
• Application allow-listing via WDAC or AppLocker that denies execution from %USERPROFILE%\Downloads, %USERPROFILE%\Pictures, %TEMP%, %LOCALAPPDATA%\Temp, and non-standard subdirectories of %PROGRAMDATA%.
• Deploy the Sigma/KQL/YARA rules in this document (or equivalents) and tune over 72 hours of baseline traffic.
• Instrument Defender update freshness as a monitoring metric, alerting on signature age > 48 hours.
• Enforce SSL-VPN MFA on every account; revoke long-lived local accounts permitted to VPN in.
• Layered defense independent of the endpoint agent. Assume a compromised Defender cannot detect its own compromise; add NDR, identity-plane detection (AD, Entra), and cloud-workload monitoring to stitch a cross-domain picture.
• Credential-theft resistance: Credential Guard, LSA Protection (RunAsPPL), LAPS for local administrator accounts, disabling NTLM where feasible, and constraining cached credentials.
• Offline backups that survive a SYSTEM-integrity compromise, i.e., write-once media or immutable cloud object storage with IAM policies that the endpoint cannot modify.

Incident-response triggers

If any of the following are observed, treat the host as SYSTEM-compromised and initiate the IR playbook:

• Unexplained SHA-256 change on TieringEngineService.exe.
• Junction created from a user-integrity process that targets System32 or a VSS device path.
• Defender signature age > 48 hours with concurrent user-mode handles on Definition Updates\*.
• Presence of FunnyApp.exe, RedSun.exe, or renames thereof in user-writable directories.

Broader Implications

These incidents represent a structural shift in endpoint security: the built-in AV engine itself is now the most reliable privileged file read/write primitive on the operating system. The implications extend well beyond this specific family:

• Monoculture risk. Defender's default ubiquity means any new variant in this class is immediately relevant to a very large fraction of the Windows install base. Diversity of endpoint agents, once decried as a management cost, is beginning to look like a resilience property.
• Disclosure tensions. The researcher's decision to release PoCs publicly after perceived MSRC dismissal is a pattern we expect to recur. The gap between "reported" and "patched" is now, for a motivated researcher with public platform, a negotiation conducted in the open.
• The end of "in-host telemetry is sufficient." If SYSTEM is obtainable by a standard user, no single-host EDR agent can be trusted as the sole source of truth for that host's integrity.
• Copycats and variants. The primitive set (oplock + junction + VSS + Cloud Files + COM) is reusable. Expect derivatives targeting other SYSTEM-integrity services, Windows Update, Installer, Storage Sense, Search, within months.

Conclusion & AegisByte Recommendations

BlueHammer is mitigated for hosts running the April 14 Antimalware Platform update. RedSun and UnDefend remain unpatched and actively exploited as of April 22, 2026. The three tools together expose persistent design flaws in Defender's I/O model: its SYSTEM-privileged file operations are composed over user-influenced paths without sufficient post-oplock revalidation, and its remediation semantics include rewrite primitives that should not run as SYSTEM against attacker-influenced locations.

Organizations cannot wait for patches. The operational stance that protects today is: assume compromise, verify controls, and stitch detection across layers that do not share the endpoint agent's trust boundary.

AegisByte's veteran-led red-team and offensive-security services now include controlled simulation of these exact attack chains for defensive validation, with deliverables including the detection rules published above, fleet-wide baselines for TieringEngineService.exe, and tabletop exercises that rehearse the full chain from SSL-VPN compromise to SYSTEM on a domain-joined workstation.

References

• Microsoft Security Response Center, CVE-2026-33825 Advisory. https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-33825
• NVD / CISA Known Exploited Vulnerabilities, CVE-2026-33825. https://nvd.nist.gov/vuln/detail/CVE-2026-33825
• Huntress Labs, Nightmare-Eclipse intrusion telemetry. https://www.huntress.com/blog/nightmare-eclipse-intrusion
• Vectra AI, "When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild." https://www.vectra.ai/blog/when-the-defender-becomes-the-door-bluehammer-redsun-and-undefend-in-the-wild
• BleepingComputer, "Recently leaked Windows zero-days now exploited in attacks." https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/
• James Forshaw / Google Project Zero, published research on symlink-race / reparse-point primitives on Windows.
• Blackswan Cybersecurity, RedSun / UnDefend Threat Advisory (April 17, 2026).
• Picus Security, securityonline.info, techgines.com, guardsix, independent technical analyses (April 18–22, 2026).