May 11, 2026: The Red Sun still prevails.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 20:32:27 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 20:32:27 GMT

@jhr77 @christopherkunz @GossiTheDog
I've not been able to reproduce YellowKey in a VMware Workstation VM.

So either VMware is interfering with the hold CRTL and do NOT lift your finger off it apparently required part of the exploit, or it simply doesn't work.

Even if it did work, I suspect that it'd perhaps only work on systems that don't both with PIN-on-boot protection. Which is sort of known to be not terribly secure.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 20:26:23 GMT

jhr77@mastodon.social — Tue, 12 May 2026 20:26:23 GMT

@christopherkunz @wdormann @GossiTheDog What the h... is that yellowkey? I am a little bit afraid to try it. It sounds that it should be better prepared not on a windows system and tested on a completely separate pc.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 19:52:24 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 19:52:24 GMT

@buherator @christopherkunz @jhr77
Related: In Microsoft's world, CVEs are identifiers for software updates released on Patch Tuesday (or OOB through the same channel), not vulnerabilities. They used to have proprietary identifiers for their software updates, like MS08-067, but when they switched to using CVEs, they didn't switch what the identifiers are for.

As such, I could imagine why they didn't think a CVE was necessary for the vulnerability that allowed the RedSun exploit to work.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 19:47:01 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 19:47:01 GMT

@buherator @christopherkunz @jhr77
Right. There is no official statement that the vulnerability was actually fixed.

I personally believe that it was fixed, as I can no longer reproduce the exploit with updated definitions.

I suspect that others in this thread do not agree with me.

Would be nice to have a definitive answer.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 19:00:50 GMT

buherator@infosec.place — Tue, 12 May 2026 19:00:50 GMT

@wdormann @christopherkunz @jhr77 Vuln mgmt is hard, e.g. how you track patch coverage vs. signature update status? Not that pushing a sig was a bad idea, I'd just expect a KB for this too.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 18:52:17 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 18:52:17 GMT

@buherator @christopherkunz @jhr77
I can't imagine why they'd wait for Patch Tuesday if they already have the path to fix it automatically at any time they want. ‍️

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 18:50:00 GMT

buherator@infosec.place — Tue, 12 May 2026 18:50:00 GMT

@wdormann @jhr77 @christopherkunz I don't see a Defender entry in today's update that also points to this being a signature based mitigation

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 18:18:20 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 18:18:20 GMT

@christopherkunz @jhr77 @GossiTheDog
GreenPlasma prompts for admin creds, so to call it a privilege escalation is a stretch.

As for YellowKey, the writeup is a bit too hand-wavy for me to follow, so I'll leave the repro to somebody else to try.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 18:17:13 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 18:17:13 GMT

@jhr77 @wdormann @GossiTheDog Well, they're certainly pissed at MS: "Microsoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible. My patience is running out you're making everyone else paying for it."

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 18:13:40 GMT

jhr77@mastodon.social — Tue, 12 May 2026 18:13:40 GMT

@christopherkunz @wdormann @GossiTheDog Has this person also other hobbies than exploiting Windows?

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 17:58:43 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 17:58:43 GMT

@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 17:17:26 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 17:17:26 GMT

@wdormann @jhr77 @GossiTheDog OK, I don't get this. I did the following:
1. DISM /Online /Cleanup-Image /RestoreHealth
2. sfc /scannow
3. Checked that the TieringEngineService.exe has two signatures (like in your screenshot) and got replaced properly (as per the log).
4. Rebooted and re-checked if the .exe is still properly signed.
5. Re-Ran RedSun.exe
6. Popped a shell again.
I'm going to boot a clean Win11 VM again.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 17:09:04 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 17:09:04 GMT

@jhr77 @christopherkunz @GossiTheDog
Always revert your VM to a clean state before (and after) testing an exploit.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 17:03:22 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 17:03:22 GMT

@christopherkunz @jhr77 @GossiTheDog
No, Windows does not do periodic filesystem checks to ensure that files have not been corrupted.

It's up to you to run sfc /scannow and associated tools if you think your Windows installation is corrupt.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:51:41 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 16:51:41 GMT

@jhr77 @christopherkunz @GossiTheDog
The exploit made no claims about being temporary.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:51:19 GMT

jhr77@mastodon.social — Tue, 12 May 2026 16:51:19 GMT

@christopherkunz @wdormann @GossiTheDog same same here. It's getting worse when asking more questions. But it was possible to replace with the original version. Hopefully the system is clean now. Maybe making a scan with the defender...

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:31:50 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 16:31:50 GMT

@wdormann @jhr77 @GossiTheDog Yeah, mine is unsigned, so I'm doing the whole dism & sfc routine now to presumably fix it.
I'm a little surprised though: Is this normal behavior that unsigned corrupted executables remain indefinitely in \system32 and aren't detected or removed? Is this something I would have to trigger manually, like an offline scan of sorts?

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:28:05 GMT

jhr77@mastodon.social — Tue, 12 May 2026 16:28:05 GMT

@wdormann @christopherkunz @GossiTheDog So this is even worse as this is persistent

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:17:16 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 16:17:16 GMT

@jhr77 @christopherkunz @GossiTheDog

Just to be clear, before you attempted the exploit, your C:\Windows\system32\TieringEngineService.exe file had a valid signature?

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 16:04:02 GMT

jhr77@mastodon.social — Tue, 12 May 2026 16:04:02 GMT

@wdormann @christopherkunz @GossiTheDog Hi, today at the first try I had a shell with system rights. So i assume that it worked successfully.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 15:59:14 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 15:59:14 GMT

@christopherkunz @GossiTheDog @jhr77

Though I'll also admit that having Windows Security open seems to indicate that Windows Defender stops when RedSun is attempted.

From the GUI it's merely Threat service has stopped, but in Event viewer we can get more info in that it's Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.

It restarts automatically.

If this is an intentional RedSun fix, I'll say that it's less than ideal.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 15:44:23 GMT

wdormann@infosec.exchange — Tue, 12 May 2026 15:44:23 GMT

@christopherkunz @GossiTheDog @jhr77
Well yep, if you're testing on an already-popped machine, that's an invalid test.

That is, if C:\Windows\system32\TieringEngineService.exe has already been replaced, then the exploit might appear to "work" even when it doesn't.

TieringEngineService.exe is a Windows component. It has nothing to do with Defender, and no Defender update will restore it to its pristine state.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 15:42:40 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 15:42:40 GMT

@wdormann @GossiTheDog @jhr77 I think my TieringEngineService.exe might be permanently patched/replaced with the RedSun copy and none of the definitions updates have cleaned it up.

Reply to May 11, 2026: The Red Sun still prevails. on Tue, 12 May 2026 15:37:16 GMT

christopherkunz@chaos.social — Tue, 12 May 2026 15:37:16 GMT

@wdormann @GossiTheDog @jhr77 Yeah, the first dialog is the detection of EICAR, the second one is the admission of defeat. I get both, and a NT_AUTHORITY shell, on running RedSun.exe.
This is weird, but I suspect we're basically arguing against a ticking clock here. Patch day will land soon and with it, undoubtedly a RedSun mitigation. Actually, let me milk this opportunity for a meme.