- microsoft
- defender
- cve
- privilege-escalation
- windows
- toctou
- lpe
- local
- zero-day
news
RedSun: Defender Cloud-Tag Remediation LPE (CVE-2026-41091)
Nightmare-Eclipse PoC abuses Defender's cloud-tagged file restore path to write TieringEngineService.exe into System32 as SYSTEM — CISA KEV, patched May 2026 OOB.
Summary
RedSun is the second Nightmare-Eclipse cluster release — dropped April 16, 2026, thirteen days after BlueHammer. Where BlueHammer wins a TOCTOU race during signature updates to read protected hives, RedSun targets Defender's real-time scan remediation path to perform a privileged file write into C:\\Windows\\System32. The root logic flaw: when Defender detects a malicious file carrying a Cloud Files placeholder tag, it rewrites the file back to its original location under NT AUTHORITY\SYSTEM without validating whether that path was redirected via NTFS junctions.
Cyderes Howler Cell, CloudSEK, Qualys, and independent researchers reproduced standard-user → SYSTEM escalation on Windows 10, Windows 11, and Windows Server 2019+. Microsoft assigned CVE-2026-41091, patched out-of-band May 19, 2026 in Malware Protection Engine 1.1.26040.8; CISA KEV followed. Huntress documented RedSun deployed in live attack chains, often paired with UnDefend to degrade detection before escalation.
The PoC author notes the behavior explicitly in the Project Nightcrawler README: "When Windows Defender realizes that a malicious file has a cloud tag… the antivirus… decides that it is a good idea to just rewrite the file… to its original location."
OFFSITE.DARK indexes this entry from Project Nightcrawler and public analysis; we did not discover or weaponize this flaw.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-41091 |
| Component | Microsoft Malware Protection Engine (MpSvc.dll / MsMpEng.exe remediation path) |
| Root cause | Improper link resolution before file access (CWE-59) during cloud-tagged file restoration |
| Privileges required | Standard local user |
| Attack primitives | Batch oplocks, Cloud Files API placeholders, NTFS junctions, VSS polling, COM activation |
| Target binary | TieringEngineService.exe in C:\\Windows\\System32 |
| Execution path | Storage Tiers Management COM server activation after System32 placement |
| Patch | Malware Protection Engine ≥ 1.1.26040.8 (May 19, 2026 OOB) |
| Static detection | Exploit:Win32/DfndrPERedSun.BB on known sample (sample-specific) |
Attack chain (conceptual)
- Stage decoy — Attacker creates a working directory under
%TEMP%\\RS_{GUID}\\with a decoy binary and EICAR or equivalent trigger content. - Cloud Files registration — Register a sync root and create a Cloud Files placeholder on the target filename so Defender's remediation path treats the object as cloud-backed.
- Trigger scan — Invoke Defender real-time scan/remediation via RPC so
MsMpEng.exeprocesses the file at SYSTEM integrity. - Race window — Batch oplock pauses Defender mid-operation; Cloud Files placeholder keeps the path valid through directory swaps.
- Junction redirect — Replace the staging directory with a junction to
C:\\Windows\\System32. Defender's restore/write follows the reparse point and lands the attacker binary in a protected directory. - SYSTEM execution — Activate Storage Tiers Management COM (
TieringEngineService.exe) to execute the planted binary as SYSTEM. Successful runs may suppress immediate Defender pop-ups (researcher-added flag documented in RoguePlanet lineage).
Detection artifacts (public research)
| Indicator | Notes |
|---|---|
%TEMP%\\RS_*\\TieringEngineService.exe staging | PoC-specific path prefix |
.SyncRootIdentity / Cloud Files sync-root artifacts | Cloud tag setup |
| Defender Event ID 1116 / 1117 on System32 paths | EICAR or DfndrPERedSun detections |
MsMpEng.exe → TieringEngineService.exe ancestry at SYSTEM | Near-certain exploitation behavior |
| DCOM Event 10005 around Storage Tiers activation | COM trigger correlation |
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-41091 |
| CVSS 3.1 | 7.8 High |
| CWE | CWE-59 (Improper Link Resolution Before File Access) |
| Published | 2026-05-20 |
| Fixed version | Microsoft Malware Protection Engine 1.1.26040.8 |
| Exploit status | Weaponized PoC; CISA KEV; ITW with UnDefend per Huntress |
Impact
- Local privilege escalation from any standard user session on Defender-enabled endpoints.
- Arbitrary write to System32 via trusted antivirus remediation — enables persistent SYSTEM code execution without admin rights.
- Kill-chain pairing: deployed with UnDefend to freeze signatures before escalation; cluster tools already appear in intrusion data.
- Detection gap: static signatures on compiled PoC do not close the technique; behavioral EDR rules are primary.
Mitigation
- Confirm Malware Protection Engine ≥ 1.1.26040.8 and Defender platform ≥ 4.18.26040.7 on all hosts.
- Prioritize behavioral rules for Defender-spawned System32 writes, Cloud Files sync-root creation from user processes, and
%TEMP%\\RS_*staging trees. - Enable Tamper Protection and EDR block mode to retain detection if signature updates are disrupted by sibling UnDefend TTPs.
- Restrict Create symbolic links / junction creation for standard users where Group Policy permits.
- Hunt for UnDefend precursors (Defender update error 80070643, signature freeze) before investigating RedSun indicators.
Sources
- Project Nightcrawler — NightmareEclipse/RedSun (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/RedSun (historical mirror)
- Cyderes Howler Cell — RedSun zero-day analysis
- Microsoft MSRC — CVE-2026-41091
- NVD — CVE-2026-41091
- Intrinsec — RedSun detection artifacts
- Calif.io — RedSun remediation workflow deep dive
- OFFSITE.DARK — RoguePlanet cluster index