May 11, 2026: The Red Sun still prevails.
-
@christopherkunz @GossiTheDog @jhr77
Well yep, if you're testing on an already-popped machine, that's an invalid test.That is, if
C:\Windows\system32\TieringEngineService.exehas already been replaced, then the exploit might appear to "work" even when it doesn't.TieringEngineService.exeis a Windows component. It has nothing to do with Defender, and no Defender update will restore it to its pristine state.@christopherkunz @GossiTheDog @jhr77
Though I'll also admit that having
Windows Securityopen seems to indicate that Windows Defender stops when RedSun is attempted.From the GUI it's merely
Threat service has stopped, but in Event viewer we can get more info in that it'sMicrosoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.It restarts automatically.
If this is an intentional RedSun fix, I'll say that it's less than ideal.
-
@christopherkunz @GossiTheDog @jhr77
Though I'll also admit that having
Windows Securityopen seems to indicate that Windows Defender stops when RedSun is attempted.From the GUI it's merely
Threat service has stopped, but in Event viewer we can get more info in that it'sMicrosoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.It restarts automatically.
If this is an intentional RedSun fix, I'll say that it's less than ideal.
@wdormann @christopherkunz @GossiTheDog Hi, today at the first try I had a shell with system rights. So i assume that it worked successfully.
-
@wdormann @christopherkunz @GossiTheDog Hi, today at the first try I had a shell with system rights. So i assume that it worked successfully.
@jhr77 @christopherkunz @GossiTheDog
Just to be clear, before you attempted the exploit, your
C:\Windows\system32\TieringEngineService.exefile had a valid signature?
-
@jhr77 @christopherkunz @GossiTheDog
Just to be clear, before you attempted the exploit, your
C:\Windows\system32\TieringEngineService.exefile had a valid signature?@wdormann @christopherkunz @GossiTheDog So this is even worse as this is persistent
-
@jhr77 @christopherkunz @GossiTheDog
Just to be clear, before you attempted the exploit, your
C:\Windows\system32\TieringEngineService.exefile had a valid signature?@wdormann @jhr77 @GossiTheDog Yeah, mine is unsigned, so I'm doing the whole dism & sfc routine now to presumably fix it.
I'm a little surprised though: Is this normal behavior that unsigned corrupted executables remain indefinitely in \system32 and aren't detected or removed? Is this something I would have to trigger manually, like an offline scan of sorts? -
@wdormann @jhr77 @GossiTheDog Yeah, mine is unsigned, so I'm doing the whole dism & sfc routine now to presumably fix it.
I'm a little surprised though: Is this normal behavior that unsigned corrupted executables remain indefinitely in \system32 and aren't detected or removed? Is this something I would have to trigger manually, like an offline scan of sorts?@christopherkunz @wdormann @GossiTheDog same same here. It's getting worse when asking more questions. But it was possible to replace with the original version. Hopefully the system is clean now. Maybe making a scan with the defender...
-
@wdormann @christopherkunz @GossiTheDog So this is even worse as this is persistent
@jhr77 @christopherkunz @GossiTheDog
The exploit made no claims about being temporary. -
@wdormann @jhr77 @GossiTheDog Yeah, mine is unsigned, so I'm doing the whole dism & sfc routine now to presumably fix it.
I'm a little surprised though: Is this normal behavior that unsigned corrupted executables remain indefinitely in \system32 and aren't detected or removed? Is this something I would have to trigger manually, like an offline scan of sorts?@christopherkunz @jhr77 @GossiTheDog
No, Windows does not do periodic filesystem checks to ensure that files have not been corrupted.It's up to you to run
sfc /scannowand associated tools if you think your Windows installation is corrupt.
-
@christopherkunz @wdormann @GossiTheDog same same here. It's getting worse when asking more questions. But it was possible to replace with the original version. Hopefully the system is clean now. Maybe making a scan with the defender...
@jhr77 @christopherkunz @GossiTheDog
Always revert your VM to a clean state before (and after) testing an exploit. -
@jhr77 @christopherkunz @GossiTheDog
Always revert your VM to a clean state before (and after) testing an exploit.@wdormann @jhr77 @GossiTheDog OK, I don't get this. I did the following:
1. DISM /Online /Cleanup-Image /RestoreHealth
2. sfc /scannow
3. Checked that the TieringEngineService.exe has two signatures (like in your screenshot) and got replaced properly (as per the log).
4. Rebooted and re-checked if the .exe is still properly signed.
5. Re-Ran RedSun.exe
6. Popped a shell again.
I'm going to boot a clean Win11 VM again. -
@jhr77 @christopherkunz @GossiTheDog
Always revert your VM to a clean state before (and after) testing an exploit.@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey -
@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey@christopherkunz @wdormann @GossiTheDog Has this person also other hobbies than exploiting Windows?
-
@christopherkunz @wdormann @GossiTheDog Has this person also other hobbies than exploiting Windows?
@jhr77 @wdormann @GossiTheDog Well, they're certainly pissed at MS: "Microsoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible. My patience is running out you're making everyone else paying for it."
-
@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey@christopherkunz @jhr77 @GossiTheDog
GreenPlasma prompts for admin creds, so to call it a privilege escalation is a stretch.As for YellowKey, the writeup is a bit too hand-wavy for me to follow, so I'll leave the repro to somebody else to try.
-
@jhr77 @christopherkunz
I suspect that Microsoft pushed out Defender updates that mitigate the exploit.With current definitions, I've not seen RedSun succeed. No matter how long I wait.
With old definitions, success is pretty quick.
@wdormann @jhr77 @christopherkunz I don't see a Defender entry in today's update that also points to this being a signature based mitigation -
@wdormann @jhr77 @christopherkunz I don't see a Defender entry in today's update that also points to this being a signature based mitigation
@buherator @christopherkunz @jhr77
I can't imagine why they'd wait for Patch Tuesday if they already have the path to fix it automatically at any time they want.
β
οΈ -
@buherator @christopherkunz @jhr77
I can't imagine why they'd wait for Patch Tuesday if they already have the path to fix it automatically at any time they want.βοΈ@wdormann @christopherkunz @jhr77 Vuln mgmt is hard, e.g. how you track patch coverage vs. signature update status? Not that pushing a sig was a bad idea, I'd just expect a KB for this too. -
@wdormann @christopherkunz @jhr77 Vuln mgmt is hard, e.g. how you track patch coverage vs. signature update status? Not that pushing a sig was a bad idea, I'd just expect a KB for this too.
@buherator @christopherkunz @jhr77
Right. There is no official statement that the vulnerability was actually fixed.I personally believe that it was fixed, as I can no longer reproduce the exploit with updated definitions.
I suspect that others in this thread do not agree with me.
Would be nice to have a definitive answer.
-
@buherator @christopherkunz @jhr77
Right. There is no official statement that the vulnerability was actually fixed.I personally believe that it was fixed, as I can no longer reproduce the exploit with updated definitions.
I suspect that others in this thread do not agree with me.
Would be nice to have a definitive answer.
@buherator @christopherkunz @jhr77
Related: In Microsoft's world, CVEs are identifiers for software updates released on Patch Tuesday (or OOB through the same channel), not vulnerabilities. They used to have proprietary identifiers for their software updates, likeMS08-067, but when they switched to using CVEs, they didn't switch what the identifiers are for.As such, I could imagine why they didn't think a CVE was necessary for the vulnerability that allowed the RedSun exploit to work.
-
@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey@christopherkunz @wdormann @GossiTheDog What the h... is that yellowkey? I am a little bit afraid to try it. It sounds that it should be better prepared not on a windows system and tested on a completely separate pc.
