May 11, 2026: The Red Sun still prevails.
-
@christopherkunz Possibly the defender then has reached his working temperature...
@jhr77 I retried later during the day yesterday and it seems that the exploit sometimes gets stuck trying to win the race condition, but generally still works even on a "warm" computer.
-
May 11, 2026: The Red Sun still prevails.
However, I noticed something odd. Either this is purely coincidence, or the exploit has less reliability now (?). On a freshly booted system, it works 100%, but after a couple minutes of runtime, it seems that it doesn't always win the race condition (or it takes longer than the usual ~10 seconds).
@christopherkunz maybe it's linked to system load or a half-working patch from MS...
It will be interesting to try out. If I find the time to set-up a VM or are you trying on a physical computer?
br -
@christopherkunz maybe it's linked to system load or a half-working patch from MS...
It will be interesting to try out. If I find the time to set-up a VM or are you trying on a physical computer?
br@jhr77 It works on both, because it's only dependent on Defender and NTFS being available, no physical/hardware constraints as far as I can tell. I suspect it's going away tomorrow, so
a) try it out today, and
b) watch the author's Github tomorrow. -
@jhr77 It works on both, because it's only dependent on Defender and NTFS being available, no physical/hardware constraints as far as I can tell. I suspect it's going away tomorrow, so
a) try it out today, and
b) watch the author's Github tomorrow.@christopherkunz just installing visual studio....
-
@christopherkunz just installing visual studio....
-
May 11, 2026: The Red Sun still prevails.
However, I noticed something odd. Either this is purely coincidence, or the exploit has less reliability now (?). On a freshly booted system, it works 100%, but after a couple minutes of runtime, it seems that it doesn't always win the race condition (or it takes longer than the usual ~10 seconds).
@christopherkunz This is all too simple. Copy.Fail:just execute a python script. RedSun - just compile and run...
-
@christopherkunz @wdormann it worked from the scratch. Just a new project and the cpp file as source. Compile and run...
-
@christopherkunz maybe it's linked to system load or a half-working patch from MS...
It will be interesting to try out. If I find the time to set-up a VM or are you trying on a physical computer?
br@jhr77 @christopherkunz
I suspect that Microsoft pushed out Defender updates that mitigate the exploit.With current definitions, I've not seen RedSun succeed. No matter how long I wait.
With old definitions, success is pretty quick.
-
@jhr77 @christopherkunz
I suspect that Microsoft pushed out Defender updates that mitigate the exploit.With current definitions, I've not seen RedSun succeed. No matter how long I wait.
With old definitions, success is pretty quick.
-
@christopherkunz @wdormann @jhr77 do you have cloud protection turned on?
-
@christopherkunz @wdormann @jhr77 do you have cloud protection turned on?
@GossiTheDog @christopherkunz @jhr77
Cloud-delivered protection?
If so, then yeah, it's on.
It's the same stock Win11 VM that worked in April. Just with Defender updates installed.
-
@christopherkunz @wdormann @jhr77 do you have cloud protection turned on?
@GossiTheDog @wdormann @jhr77 Yes, cloud protection is on. This is a German Win11 Home, I think. After updating to today's definitions and a reboot, RedSun.exe doesn't seem to win the RC anymore, so the reboot was likely necessary to apply the Defender mitigation.
I don't think this is merely a signature update, from what I understood the mitigation requires a core update to Defender. -
@GossiTheDog @wdormann @jhr77 Yes, cloud protection is on. This is a German Win11 Home, I think. After updating to today's definitions and a reboot, RedSun.exe doesn't seem to win the RC anymore, so the reboot was likely necessary to apply the Defender mitigation.
I don't think this is merely a signature update, from what I understood the mitigation requires a core update to Defender.@christopherkunz @GossiTheDog @jhr77
The executable bits for Defender are updated along with sigs. -
@christopherkunz @GossiTheDog @jhr77
The executable bits for Defender are updated along with sigs.@wdormann @GossiTheDog @jhr77 On second attempt, the exploit worked. So whatever MS did, is still not a 100% mitigation. I''ll try again to reproduce what happened.
-
@wdormann @GossiTheDog @jhr77 On second attempt, the exploit worked. So whatever MS did, is still not a 100% mitigation. I''ll try again to reproduce what happened.
@christopherkunz @GossiTheDog @jhr77
When it succeeds, does it happen relatively quickly?I've tried both waiting 10 minutes and have also tried 10 times in a row, and neither strategy is successful on my Win11 VM.
-
@GossiTheDog @christopherkunz @jhr77
Cloud-delivered protection?
If so, then yeah, it's on.
It's the same stock Win11 VM that worked in April. Just with Defender updates installed.@wdormann @GossiTheDog @jhr77 Reboot, log in, win-r, cmd, cd \temp, RedSun.exe, worked on first attempt.
In my last attempt, I had opened the Defender warning popup "defender has found a threat" and I thought I'd triggered some condition for the exploit to work. Seems not, I can still run it.
It succeeds after about 10 seconds. -
@wdormann @GossiTheDog @jhr77 Reboot, log in, win-r, cmd, cd \temp, RedSun.exe, worked on first attempt.
In my last attempt, I had opened the Defender warning popup "defender has found a threat" and I thought I'd triggered some condition for the exploit to work. Seems not, I can still run it.
It succeeds after about 10 seconds.@christopherkunz @GossiTheDog @jhr77
The dialog is the detection of the EICARTieringEngineService.exeand is definitely a part of the successful exploit flow.It's just that at least for me, it never succeeds with updated defs.
️
-
@christopherkunz @GossiTheDog @jhr77
The dialog is the detection of the EICARTieringEngineService.exeand is definitely a part of the successful exploit flow.It's just that at least for me, it never succeeds with updated defs.
️@wdormann @GossiTheDog @jhr77 Yeah, the first dialog is the detection of EICAR, the second one is the admission of defeat. I get both, and a NT_AUTHORITY shell, on running RedSun.exe.
This is weird, but I suspect we're basically arguing against a ticking clock here. Patch day will land soon and with it, undoubtedly a RedSun mitigation. Actually, let me milk this opportunity for a meme.
-
@christopherkunz @GossiTheDog @jhr77
The dialog is the detection of the EICARTieringEngineService.exeand is definitely a part of the successful exploit flow.It's just that at least for me, it never succeeds with updated defs.
️@wdormann @GossiTheDog @jhr77 I think my TieringEngineService.exe might be permanently patched/replaced with the RedSun copy and none of the definitions updates have cleaned it up.
-
@wdormann @GossiTheDog @jhr77 I think my TieringEngineService.exe might be permanently patched/replaced with the RedSun copy and none of the definitions updates have cleaned it up.
@christopherkunz @GossiTheDog @jhr77
Well yep, if you're testing on an already-popped machine, that's an invalid test.That is, if
C:\Windows\system32\TieringEngineService.exehas already been replaced, then the exploit might appear to "work" even when it doesn't.TieringEngineService.exeis a Windows component. It has nothing to do with Defender, and no Defender update will restore it to its pristine state.
