Fortra Intelligence and Research Experts (FIRE) have conducted a detailed analysis of RedSun, the latest proof-of-concept by "Chaotic Eclipse", the same researcher responsible for disclosing BlueHammer. Published in April 2026, RedSun is related to BlueHammer both in origin and technique, abusing Microsoft Defender logic and filesystem timing/path confusion to achieve privilege escalation.
Following the emergence of the "RedSun" vulnerability, we are sharing a technical deep dive into its mechanics. This vulnerability highlights a fascinating class of logical flaws where defensive tools, when interacting with complex operating system features, can be weaponized to compromise the system they are designed to protect.
RedSun is a Local Privilege Escalation (LPE) vulnerability that abuses the interaction between Windows Defender, the Windows Cloud Files API (cfapi), and NTFS Reparse Points to achieve an arbitrary file overwrite. By exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition, an attacker can force the highly privileged antivirus service to overwrite critical system binaries, ultimately leading to NT AUTHORITY\SYSTEM privileges.
Below is a detailed breakdown of the RedSun exploit chain, the prerequisites for its execution, and the artifacts it leaves behind.
Exploit Execution Chain
The RedSun PoC operates through a sequence of steps designed to bait the antivirus engine, suspend its execution using file locks, and redirect its remediation actions to a protected system directory.
Phase 1: Bait Creation and EICAR Trigger
The exploit begins by creating a temporary working directory (e.g., in %TEMP%). Inside this directory, it drops a decoy executable file named TieringEngineService.exe. To guarantee an immediate response from the antivirus engine, the exploit writes the standard EICAR anti-virus test string into this file. To evade static signature checks on the PoC binary itself, the EICAR string is stored reversed and corrected dynamically in memory before being written to disk.
Phase 2: Cloud Files API (CfAPI) Registration
A critical component of this exploit is the abuse of the Windows Cloud Files API. The PoC registers the temporary directory as a Cloud Sync Root (CfRegisterSyncRoot) and connects a callback provider (CfConnectSyncRoot). It then converts the decoy executable into a cloud placeholder file (CfCreatePlaceholders). This mechanism ensures that subsequent interactions with the file by the system can be intercepted and manipulated by the exploit's user-mode callbacks.
Phase 3: Forcing a TOCTOU Window via Oplocks
To orchestrate the race condition, the exploit requests a Batch Opportunistic Lock (Oplock) on the decoy file via FSCTL_REQUEST_BATCH_OPLOCK. When the real-time protection engine scans the newly created EICAR file, it triggers the Cloud Files callback and trips the Oplock. This effectively suspends the highly privileged antivirus thread while it holds an open handle to the file, creating the necessary Time-of-Check to Time-of-Use (TOCTOU) window.
Phase 4: Path Redirection via Reparse Points
While the antivirus engine is suspended, the exploit dynamically alters the file system structure:
- It renames the original temporary directory (e.g., appending .TMP), moving it out of the original path.
- It recreates a new directory at the exact original path.
- It converts this new directory into an NTFS Mount Point (directory junction) targeting \??\C:\Windows\System32.
Phase 5: Weaponizing the Remediation Process
Once the directory structure is swapped, the exploit releases the Oplock. The antivirus engine resumes its operation. Believing it is operating on a cloud-tagged malicious file in the user's %TEMP% directory, the engine's remediation logic attempts to "restore" or overwrite the file to neutralize the threat. Because the engine operates as NT AUTHORITY\SYSTEM, and the path is now a junction pointing to System32, the antivirus blindly writes to C:\Windows\System32\TieringEngineService.exe, overwriting a legitimate Windows service binary with the attacker-controlled file context.
Phase 6: Privilege Escalation and Execution
With the system file successfully overwritten, the PoC copies its own executable over the newly corrupted TieringEngineService.exe. It then initializes COM and invokes a specific COM class ({50d185b9-fff3-4656-92c7-e4018da4361d}) associated with the Tiering Management Engine. This triggers the Service Control Manager to start the overwritten service as NT AUTHORITY\SYSTEM. Upon execution in the SYSTEM context, the payload duplicates a privileged token, assigns it to the active user session, and spawns an interactive console (conhost.exe), granting the attacker full administrative control.
Environmental Prerequisites and Failure Conditions
For RedSun to execute successfully, several environmental factors must align:
- Active Real-Time Protection: The antivirus engine must be running, scanning file creation events, and configured to automatically remediate or quarantine threats.
- Cloud Files API Availability: The system must support and allow standard users to interact with cfapi.dll (typically available in Windows 10/Server 2016 and later).
- Unrestricted Mount Points: The exploit relies on the ability of a standard user to create directory junctions pointing to privileged locations like C:\Windows\System32.
- Service Overwrite Viability: The target service (TieringEngineService.exe) must not be actively locked or running in a way that prevents the AV engine from obtaining write access during its remediation phase.
Detection Observables
Defenders can detect RedSun and similar logical exploitation techniques by monitoring for the following behavioral anomalies:
- Suspicious CfAPI Usage: Monitor for unexpected or unauthorized processes registering Cloud Sync Roots via CldApi.dll, especially from binaries executing out of %TEMP% or %APPDATA%.
- Oplock and Junction Combinations: Alert on sequences where a process requests a batch Oplock on a file, followed immediately by the deletion/renaming of its parent directory and the creation of a mount point targeting critical system paths (C:\Windows\System32, C:\Program Files).
- AV Process Anomalies: Monitor EDR telemetry for instances where the Antimalware Service Executable (MsMpEng.exe or equivalent) performs write or overwrite operations on known system binaries inside C:\Windows\System32.
- EICAR paired with Service Modifications: The presence of EICAR alerts (often dismissed as testing) occurring milliseconds before unexpected changes to system services or COM object instantiations should be treated as highly suspicious.
- Named Pipe Anomalies: Look for unauthorized named pipes, such as \??\pipe\REDSUN, being created or accessed by SYSTEM-level processes spawning interactive shells (conhost.exe, cmd.exe).
Final Thoughts
RedSun underscores a persistent challenge in modern operating system security: the boundary where defensive software meets complex filesystem features. By turning an antivirus engine's remediation capabilities into an arbitrary file overwrite primitive, attackers can bypass traditional access controls without relying on memory corruption. Mitigating these threats requires a defense-in-depth approach, blending strict policy controls (such as restricting mount point creation and CfAPI access for unprivileged users) with robust behavioral monitoring to catch the rapid, unnatural sequence of filesystem manipulations that characterize TOCTOU attacks.
