Microsoft Defender Zero-Days BlueHammer and RedSun Actively Exploited

Vulnerability Overview and Current Exploitation

Cybersecurity researchers at Huntress have issued a warning regarding the active exploitation of three Zero-Day vulnerabilities affecting Microsoft Defender. These flaws, collectively dubbed BlueHammer, RedSun, and UnDefend, were originally disclosed by a security researcher known as Chaotic Eclipse. according to The Hacker News, while details of these vulnerabilities were shared publicly, two of the three remain unpatched at the time of writing, leaving a significant window for threat actors to achieve Privilege Escalation.

The exploitation of these flaws represents a significant risk because Microsoft Defender is the default security solution for millions of Windows-based systems globally. When a core security product itself contains vulnerabilities that allow for unauthorized access, it can lead to the total compromise of the host, as the attacker can leverage these flaws to disable further security telemetry or move through the network.

Technical Analysis of BlueHammer, RedSun, and UnDefend

The first of these vulnerabilities, codenamed BlueHammer, reportedly involves a flaw in how Microsoft Defender handles specific GitHub-related authentication flows. While the technical specifics remain somewhat obfuscated due to the sensitive nature of the exploit, initial reports suggest that a successful exploit allows a low-privileged user to gain SYSTEM-level access. Security professionals are currently researching how to detect BlueHammer exploit signatures in system logs, focusing on unusual process spawning from Defender’s core services.

RedSun and UnDefend follow a similar pattern, targeting different components of the Defender engine. RedSun appears to target the real-time scanning engine, potentially allowing an attacker to inject malicious code into a trusted process context. UnDefend, on the other hand, seems to focus on the self-protection mechanisms of the antivirus software. If an attacker can successfully leverage UnDefend, they can effectively blind the SOC by preventing the security agent from reporting malicious activity.

These vulnerabilities do not currently have assigned CVE identifiers in the official National Vulnerability Database, which complicates the tracking and patching process for many organizations. This lack of a formal ID often means that standard vulnerability scanners may not yet have signatures to identify vulnerable assets across an enterprise.

How to Detect BlueHammer Exploit and Other TTPs

The TTP observed in the wild suggest that threat actors are using these vulnerabilities as a post-exploitation step. After gaining initial access through Phishing or other means, the attacker deploys the exploit to bypass EDR solutions and establish a permanent foothold.

For defenders, RedSun vulnerability technical analysis indicates that monitoring for unexpected modifications to Defender’s configuration registry keys or unusual memory allocation patterns in MsMpEng.exe is essential. Detection should focus on:

• Unexpected escalation to NT AUTHORITY\SYSTEM by local users.
• The disabling of tamper protection or real-time monitoring via non-standard interfaces.
• Unusual network connections originating from protected security processes.

Leveraging a SIEM to correlate these events can help identify an ongoing attack before the malicious actor fully establishes control. Analysts should map these behaviors to the MITRE ATT&CK framework, specifically focusing on Technique T1068 (Exploitation for Privilege Escalation).

Microsoft Defender Privilege Escalation Mitigation

Until Microsoft releases official patches for RedSun and UnDefend, organizations must rely on defense-in-depth strategies. Implementing Microsoft Defender privilege escalation mitigation involves several proactive steps to reduce the attack surface and protect sensitive assets.

First, organizations should strictly enforce the principle of least privilege. Since these exploits require an initial foothold on the system, preventing the initial execution of malicious code is paramount. This can be achieved through application control policies and disabling unnecessary administrative tools for standard users.

Second, ensure that Tamper Protection is enabled across the fleet via Group Policy or Microsoft Intune. While the UnDefend exploit specifically targets these mechanisms, having them active still provides a layer of resistance against less sophisticated actors.

Finally, hunt for any known IoC provided by security researchers. Since the zero-day status remains for two of the flaws, frequent monitoring of security advisories is necessary for any updates regarding official patches or revised mitigation guidance from Microsoft.