Analytics Story: RedSun
Description
Detect activity associated with RedSun exploit. Released by Nightmare-Eclipse on GitHub alongside BlueHammer and UnDefend, it is part of a set of attacks that abuse Windows Defender to disrupt the system or elevate privileges.
Why it matters
RedSun is a zero-day LPE vulnerability in Microsoft Defender that allows a low-privileged user to gain full NT AUTHORITY\SYSTEM access without any kernel exploit or administrator interaction. It abuses a logic flaw in how Defender handles cloud-tagged files during remediation — when Defender detects a malicious file carrying a cloud tag, it attempts to restore the file to its original location rather than quarantine it, running that restore operation with full SYSTEM privileges without validating whether the target path has been tampered with. An attacker redirects that write via an NTFS junction into C:\Windows\System32, dropping an attacker-controlled binary and executing it as SYSTEM through a COM service invocation — never touching credentials.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 10 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 15 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://github.com/Nightmare-Eclipse/RedSun
- https://www.huntress.com/blog/nightmare-eclipse-intrusion
Source: GitHub | Version: 1