May 11, 2026: The Red Sun still prevails.

However, I noticed something odd. Either this is purely coincidence, or the exploit has less reliability now (?). On a freshly booted system, it works 100%, but after a couple minutes of runtime, it seems that it doesn't always win the race condition (or it takes longer than the usual ~10 seconds).

@christopherkunz maybe it's linked to system load or a half-working patch from MS...
It will be interesting to try out. If I find the time to set-up a VM or are you trying on a physical computer?
br

@jhr77 @christopherkunz
I suspect that Microsoft pushed out Defender updates that mitigate the exploit.

With current definitions, I've not seen RedSun succeed. No matter how long I wait.

With old definitions, success is pretty quick.

@wdormann @jhr77 Huh, that's odd. Works fine for me. Same definitions version.

@christopherkunz @wdormann @jhr77 do you have cloud protection turned on?

@GossiTheDog @christopherkunz @jhr77
Cloud-delivered protection ?
If so, then yeah, it's on.
It's the same stock Win11 VM that worked in April. Just with Defender updates installed.

@GossiTheDog @wdormann @jhr77 Yes, cloud protection is on. This is a German Win11 Home, I think. After updating to today's definitions and a reboot, RedSun.exe doesn't seem to win the RC anymore, so the reboot was likely necessary to apply the Defender mitigation.
I don't think this is merely a signature update, from what I understood the mitigation requires a core update to Defender.

@christopherkunz @GossiTheDog @jhr77
The executable bits for Defender are updated along with sigs.

@wdormann @GossiTheDog @jhr77 On second attempt, the exploit worked. So whatever MS did, is still not a 100% mitigation. I''ll try again to reproduce what happened.

@christopherkunz @GossiTheDog @jhr77
When it succeeds, does it happen relatively quickly?

I've tried both waiting 10 minutes and have also tried 10 times in a row, and neither strategy is successful on my Win11 VM.

@wdormann @GossiTheDog @jhr77 Reboot, log in, win-r, cmd, cd \temp, RedSun.exe, worked on first attempt.
In my last attempt, I had opened the Defender warning popup "defender has found a threat" and I thought I'd triggered some condition for the exploit to work. Seems not, I can still run it.
It succeeds after about 10 seconds.

@christopherkunz @GossiTheDog @jhr77
The dialog is the detection of the EICAR TieringEngineService.exe and is definitely a part of the successful exploit flow.

It's just that at least for me, it never succeeds with updated defs. 🤷‍♂️

@wdormann @GossiTheDog @jhr77 I think my TieringEngineService.exe might be permanently patched/replaced with the RedSun copy and none of the definitions updates have cleaned it up.

@christopherkunz @GossiTheDog @jhr77
Well yep, if you're testing on an already-popped machine, that's an invalid test.

That is, if C:\Windows\system32\TieringEngineService.exe has already been replaced, then the exploit might appear to "work" even when it doesn't.

TieringEngineService.exe is a Windows component. It has nothing to do with Defender, and no Defender update will restore it to its pristine state.

@christopherkunz @GossiTheDog @jhr77

Though I'll also admit that having Windows Security open seems to indicate that Windows Defender stops when RedSun is attempted.

From the GUI it's merely Threat service has stopped, but in Event viewer we can get more info in that it's Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.

It restarts automatically.

If this is an intentional RedSun fix, I'll say that it's less than ideal. 😂

@wdormann @christopherkunz @GossiTheDog Hi, today at the first try I had a shell with system rights. So i assume that it worked successfully.

@jhr77 @christopherkunz @GossiTheDog

Just to be clear, before you attempted the exploit, your C:\Windows\system32\TieringEngineService.exe file had a valid signature?

@wdormann @christopherkunz @GossiTheDog So this is even worse as this is persistent

@jhr77 @christopherkunz @GossiTheDog
The exploit made no claims about being temporary.

@wdormann @jhr77 @GossiTheDog Yeah, mine is unsigned, so I'm doing the whole dism & sfc routine now to presumably fix it.
I'm a little surprised though: Is this normal behavior that unsigned corrupted executables remain indefinitely in \system32 and aren't detected or removed? Is this something I would have to trigger manually, like an offline scan of sorts?

@christopherkunz @jhr77 @GossiTheDog
No, Windows does not do periodic filesystem checks to ensure that files have not been corrupted.

It's up to you to run sfc /scannow and associated tools if you think your Windows installation is corrupt.

@christopherkunz @wdormann @GossiTheDog same same here. It's getting worse when asking more questions. But it was possible to replace with the original version. Hopefully the system is clean now. Maybe making a scan with the defender... 😅

@jhr77 @christopherkunz @GossiTheDog
Always revert your VM to a clean state before (and after) testing an exploit. 😂

@wdormann @jhr77 @GossiTheDog Meanwhile, slightly elsewhere: https://github.com/Nightmare-Eclipse/GreenPlasma
Looking forward to seeing the writeup to this.
https://github.com/Nightmare-Eclipse/YellowKey

@wdormann @jhr77 @christopherkunz I don't see a Defender entry in today's update that also points to this being a signature based mitigation

@buherator @christopherkunz @jhr77
I can't imagine why they'd wait for Patch Tuesday if they already have the path to fix it automatically at any time they want. 🤷‍♂️

@wdormann @christopherkunz @jhr77 Vuln mgmt is hard, e.g. how you track patch coverage vs. signature update status? Not that pushing a sig was a bad idea, I'd just expect a KB for this too.

@buherator @christopherkunz @jhr77
Right. There is no official statement that the vulnerability was actually fixed.

I personally believe that it was fixed, as I can no longer reproduce the exploit with updated definitions.

I suspect that others in this thread do not agree with me.

Would be nice to have a definitive answer.

@buherator @christopherkunz @jhr77
Related: In Microsoft's world, CVEs are identifiers for software updates released on Patch Tuesday (or OOB through the same channel), not vulnerabilities. They used to have proprietary identifiers for their software updates, like MS08-067, but when they switched to using CVEs, they didn't switch what the identifiers are for.

As such, I could imagine why they didn't think a CVE was necessary for the vulnerability that allowed the RedSun exploit to work.

@christopherkunz @wdormann @GossiTheDog What the h... is that yellowkey? I am a little bit afraid to try it. It sounds that it should be better prepared not on a windows system and tested on a completely separate pc.

@jhr77 @christopherkunz @GossiTheDog
I've not been able to reproduce YellowKey in a VMware Workstation VM.

So either VMware is interfering with the hold CRTL and do NOT lift your finger off it apparently required part of the exploit, or it simply doesn't work.

Even if it did work, I suspect that it'd perhaps only work on systems that don't both with PIN-on-boot protection. Which is sort of known to be not terribly secure.

@buherator @christopherkunz @jhr77
Also note that the RedSun author noticed that the vulnerability was fixed, without a CVE

@wdormann @buherator @christopherkunz Today a bunch of updates have been done. But no time for testing...

@wdormann @buherator @christopherkunz But at least on a clean system the file "TieringEngineService.exe" has not been replaced 🤔

@wdormann @buherator @jhr77 They had a whole bunch of LPE CVEs in the Cloud Files API, at least one race condition. I wouldn‘t be too surprised if they fixed it together with one of them.