<![CDATA[From the same author as BlueHammer we now have RedSun.]]>From the same author as BlueHammer we now have RedSun.

This works 100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled.

Link Preview ImageLink Preview ImageLink Preview Image
]]>https://board.circlewithadot.net/topic/e40e16a1-7954-4794-9b49-e29b9652f8d7/from-the-same-author-as-bluehammer-we-now-have-redsun.RSS for NodeFri, 15 May 2026 05:00:51 GMTThu, 16 Apr 2026 02:27:28 GMT60<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 16:01:34 GMT]]>Interestingly, a good chunk of the [(12/73) AV detections on VT](https://www.virustotal.com/gui/file/d84250e2ad053ab4097d0591933935573e4cab3e975360004a126abc102dc6f6 for this RedSun.exe exploit are due to the EICAR part being detected, despite the string being reversed in the code. (note: this reversal apparently does nothing to prevent EICAR detection in the AV engines on VT)

If we make the EICAR string less obvious (encrypted), the detections drop to 5.

Defender currently doesn't detect the exploit in either case.

Link Preview ImageLink Preview Image
]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116415220573435813https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116415220573435813Thu, 16 Apr 2026 16:01:34 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 15:49:05 GMT]]>@wdormann ๐Ÿ˜ญ

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/qdkp/statuses/116415171470053525https://board.circlewithadot.net/post/https://cyberplace.social/users/qdkp/statuses/116415171470053525Thu, 16 Apr 2026 15:49:05 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 15:47:24 GMT]]>@qdkp
People don't use OneDrive intentionally, do they? ๐Ÿ˜‚

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116415164878499235https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116415164878499235Thu, 16 Apr 2026 15:47:24 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 15:33:57 GMT]]>@wdormann Thank you. Blocking cldapi.dll using AppLocker works though that will break OneDrive and stuff like that.

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/qdkp/statuses/116415111992305979https://board.circlewithadot.net/post/https://cyberplace.social/users/qdkp/statuses/116415111992305979Thu, 16 Apr 2026 15:33:57 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 13:31:09 GMT]]>@wdormann Yeah, this worked fine. As did the exploit. Thanks for your help! (And for anyone else reading this, the keyboard shortcut to "just compile, don't run" is ctrl-shift-b)

]]>https://board.circlewithadot.net/post/https://chaos.social/users/christopherkunz/statuses/116414629134895796https://board.circlewithadot.net/post/https://chaos.social/users/christopherkunz/statuses/116414629134895796Thu, 16 Apr 2026 13:31:09 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 12:45:42 GMT]]>@christopherkunz
TBH, for code that doesn't include a .SLN file, I usually have minimal luck compiling it straight-up with cl.exe

In this case, I simply made a new Visual Studio 2022 project for a console app, and then replaced the .CPP file contents with what's in the GitHub repo. There are a slew of warnings, but it compiles.

<snip>
1>C:\Users\test\source\repos\test\test\test.cpp(431,11): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data
1>C:\Users\test\source\repos\test\test\test.cpp(694,49): warning C4267: '=': conversion from 'size_t' to 'ULONG', possible loss of data
1>C:\Users\test\source\repos\test\test\test.cpp(696,92): warning C4267: 'argument': conversion from 'size_t' to 'ULONG', possible loss of data
1>C:\Users\test\source\repos\test\test\test.cpp(714,20): warning C4267: 'initializing': conversion from 'size_t' to 'DWORD', possible loss of data
1>C:\Users\test\source\repos\test\test\test.cpp(736,57): warning C4838: conversion from 'LONG' to 'DWORD' requires a narrowing conversion
1>Generating code
1>Previous IPDB not found, fall back to full compilation.
1>All 27 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
1>Finished generating code
1>test.vcxproj -> C:\Users\test\source\repos\test\x64\Release\test.exe
1>Done building project "test.vcxproj".
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========
========== Build completed at 8:43 AM and took 01.818 seconds ==========
]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116414450404941540https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116414450404941540Thu, 16 Apr 2026 12:45:42 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 12:23:36 GMT]]>@wdormann Hey, just so I can learn this: How do I compile RedSun.cpp under Win32 with VS or gcc? I can't seem to include cfapi.h correctly (I have the full win32 sdk under the default location).

]]>https://board.circlewithadot.net/post/https://chaos.social/users/christopherkunz/statuses/116414363489147094https://board.circlewithadot.net/post/https://chaos.social/users/christopherkunz/statuses/116414363489147094Thu, 16 Apr 2026 12:23:36 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 07:28:50 GMT]]>@wdormann

Link Preview Image
]]>https://board.circlewithadot.net/post/https://mastodon.social/users/XC3LL/statuses/116413204443793664https://board.circlewithadot.net/post/https://mastodon.social/users/XC3LL/statuses/116413204443793664Thu, 16 Apr 2026 07:28:50 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 04:27:57 GMT]]>@wdormann Just finished reading through the source, thank you. Much simpler than the first version, and makes the root issue a lot more clear. This is pretty nasty, MS has some serious egg on their faces over this one

]]>https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116412493150533744https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116412493150533744Thu, 16 Apr 2026 04:27:57 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 03:03:44 GMT]]>@wdormann ...or like .
https://www.youtube.com/watch?v=s0K-YIL_G5c

]]>https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412161984193009https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412161984193009Thu, 16 Apr 2026 03:03:44 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 02:58:19 GMT]]>@wdormann I can't wait for this to get 'd like !

- YouTube

Auf YouTube findest du die angesagtesten Videos und Tracks. AuรŸerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.

favicon

(www.youtube.com)

]]>https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412140740203336https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412140740203336Thu, 16 Apr 2026 02:58:19 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 02:56:59 GMT]]>@wdormann so basically a "-based -style "privilegue escalation"?
https://www.youtube.com/watch?v=X_9OuDjl97M

]]>https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412135458939193https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116412135458939193Thu, 16 Apr 2026 02:56:59 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 02:47:02 GMT]]>@astraleureka
Yes it uses both.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116412096375694323https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116412096375694323Thu, 16 Apr 2026 02:47:02 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 02:46:46 GMT]]>From the GitHub repo:

When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location.

This Exploit uses the "Cloud Files API", writes EICAR to a file using it, uses an oplock to win a volume shadow copy race, and uses a directory junction/reparse point to redirect the file rewrite (with new contents) to C:\Windows\system32\TieringEngineService.exe. At this point, the Cloud Files Infrastructure runs TieringEngineService.exe as SYSTEM. Game over.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116412095326913592https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116412095326913592Thu, 16 Apr 2026 02:46:46 GMT<![CDATA[Reply to From the same author as BlueHammer we now have RedSun. on Thu, 16 Apr 2026 02:38:32 GMT]]>@wdormann Does it still depend on VSS and the cloud storage filter subsystem?

]]>https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116412062907410124https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116412062907410124Thu, 16 Apr 2026 02:38:32 GMT