RedSun PoC Uses Windows Defender Tag to Overwrite Files and Escalate Privileges
The RedSun proof‑of‑concept demonstrates that when Windows Defender detects a malicious file marked with a cloud‑based detection tag, it may rewrite the file to its original location instead of isolating it, allowing an attacker to replace system files and obtain administrator privileges.
The RedSun project reveals a zero‑day local privilege escalation (LPE) vulnerability in Windows Defender.
When Defender scans a file flagged by its cloud‑based detection service, it can rewrite the detected file back to its original path instead of moving it to quarantine.
The PoC leverages this rewrite behavior as a file‑overwrite primitive: by supplying a malicious payload with the cloud tag, the attacker can replace critical system files, which, when loaded, grant administrator rights.
This technique demonstrates how the Defender component can be abused to achieve privilege escalation without requiring a separate exploit chain.
The full proof‑of‑concept and details are available at the GitHub repository: https://github.com/Nightmare-Eclipse/RedSun.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.