Microsoft Defender Zero-Days BlueHammer, RedSun, and UnDefend: Active Exploitation and Defense Guide

Defenders face a critical escalation in the threat landscape with the disclosure of three zero-day vulnerabilities in Microsoft Defender. Dubbed BlueHammer, RedSun, and UnDefend, these flaws are currently being actively exploited in the wild to bypass security controls and achieve elevated privileges on compromised Windows systems.

The irony is palpable: the very endpoint protection tool designed to secure the environment is being weaponized as a vector for Local Privilege Escalation (LPE). Given that two of these vulnerabilities remain unpatched, reliance on signature-based detection is insufficient. Security teams must immediately pivot to behavioral anomaly detection and strict system hardening to mitigate the risk of full system compromise.

Technical Analysis

Affected Products:

• Microsoft Defender (Windows 10, Windows 11, Windows Server 2016+)
• Microsoft Defender for Endpoint

Vulnerability Overview: While specific CVE identifiers have not been fully assigned in the rush to disclosure, the vulnerabilities center on the mishandling of file operations and symbolic links by the Defender engine's kernel drivers and user-mode components.

• BlueHammer: Exploits a race condition in the Defender's cleaning/remediation mechanism. Attackers can trick the MpCmdRun.exe process into writing a malicious file to a privileged location (e.g., System32 or Drivers) with SYSTEM-level permissions.
• RedSun & UnDefend: These variants target the update and signature download mechanisms. By manipulating temporary directories and exploiting weak permission checks, threat actors can force the loading of arbitrary DLLs or executables.

Attack Chain:

1. Initial Access: An attacker gains a foothold via phishing or another exploit, landing as a standard user.
2. Weaponization: The attacker drops a specifically crafted file (often a mimic of known malware to trigger Defender) or stages a directory junction attack.
3. Exploitation: The attacker triggers a Defender scan or update.
4. Privilege Escalation: Defender, running as NT AUTHORITY\SYSTEM, attempts to clean or move the file. Due to the race condition (BlueHammer) or path traversal (RedSun), the attacker controls the destination, writing a malicious binary or DLL into a protected system path.
5. Execution: The malicious code is executed with SYSTEM privileges, granting the attacker full control over the endpoint.

Exploitation Status:

• In-the-Wild: Confirmed active exploitation by threat actors.
• Patch Status: As of this reporting, one flaw may have partial mitigation, but two (RedSun and UnDefend) remain unpatched. Proof-of-Concept (PoC) code is circulating in the security community.

Detection & Response

Detecting these vulnerabilities requires identifying when the Microsoft Defender executables behave abnormally—specifically, when they spawn unexpected child processes or write to sensitive system directories outside of their standard update paths.

SIGMA Rules

---
title: Potential Microsoft Defender BlueHammer/RedSun Privilege Escalation
id: a4b9c1d2-3e4f-5a6b-7c8d-9e0f1a2b3c4d
status: experimental
description: Detects suspicious child processes spawned by Microsoft Defender utility MpCmdRun.exe, which may indicate exploitation of zero-day LPEs.
references:
  - https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\MpCmdRun.exe'
      - '\MsMpEng.exe'
  selection_suspicious_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\whoami.exe'
  filter_legitimate:
    CommandLine|contains: 'RemoveItem' # Sometimes used for cleanup scripts
  condition: selection_parent and selection_suspicious_child and not filter_legitimate
falsepositives:
  - Legitimate administrative scripts triggering Defender actions
level: high
---
title: Microsoft Defender Writing to System32 Suspicious Path
id: b5c0d2e3-4f5a-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects file creation events in System32 or Drivers by Microsoft Defender processes, indicative of BlueHammer style exploitation.
references:
  - https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: file_create
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\MpCmdRun.exe'
      - '\MsMpEng.exe'
  selection_target:
    TargetFilename|contains:
      - 'C:\Windows\System32\drivers\'
      - 'C:\Windows\System32\'
  filter_updates:
    TargetFilename|contains:
      - 'MpEngine.dll'
      - 'MpAsDesc.dll'
  condition: selection_img and selection_target and not filter_updates
falsepositives:
  - Rare, legitimate component updates (should be correlated with update events)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for unusual process lineage originating from Defender utilities.

DeviceProcessEvents
| where InitiatingProcessFileName in ("MpCmdRun.exe", "MsMpEng.exe", "NisSrv.exe")
| where not (ProcessFileName in ("conhost.exe", "WerFault.exe", "wermgr.exe"))
| where ProcessCommandLine !contains "-SignatureUpdate" 
   and ProcessCommandLine !contains "-Scan" 
   and ProcessCommandLine !contains "-RemoveDefinitions"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

Hunt for instances where the Defender command-line utility has spawned non-standard child processes, a key indicator of successful exploitation.

-- Hunt for suspicious child processes of MpCmdRun.exe
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username, 
  Parent.Pid AS ParentPid, 
  Parent.Name AS ParentName, 
  Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "MpCmdRun.exe"
  AND Name !~ "conhost.exe"
  AND Name !~ "WerFault.exe"

Remediation Script (PowerShell)

Since two vulnerabilities are unpatched, this script focuses on hardening permissions and checking for indicators of compromise (IOCs) related to the BlueHammer exploitation path.

# Check for unexpected binary modifications in sensitive directories often targeted by BlueHammer
$DefenderProcesses = @("MpCmdRun.exe", "MsMpEng.exe")
$SensitivePaths = @("C:\Windows\System32\drivers\", "C:\Windows\System32\")

Write-Host "[+] Checking for recently modified files in System32/drivers..."
Get-ChildItem -Path "C:\Windows\System32\drivers" -Filter "*.sys" | 
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } | 
Select-Object FullName, LastWriteTime, VersionInfo

# Identify if MpCmdRun is currently running
Write-Host "[+] Checking running Defender processes."
Get-Process | Where-Object { $DefenderProcesses -contains $_.ProcessName } | 
Select-Object ProcessName, Id, Path, StartTime

# Recommendation: Hardening
Write-Host "[!] MITIGATION: Ensure 'Tamper Protection' is ENABLED in Defender settings."
Write-Host "[!] MITIGATION: If patching is not possible, restrict who can trigger 'MpCmdRun.exe' via AppLocker or SRP."

Remediation

1. Patch Management:

• Monitor the Microsoft Security Response Center (MSRC) blog closely for security updates addressing BlueHammer, RedSun, and UnDefend.
• Apply the latest cumulative update for Windows immediately upon release.

2. Immediate Mitigations (Unpatched Vulnerabilities):

• Enable Tamper Protection: Ensure "Tamper Protection" is turned ON in the Windows Security interface. This prevents unauthorized applications from modifying Defender settings, though it may not fully stop kernel-level race conditions.
• Restrict MpCmdRun Usage: Use AppLocker or Windows Defender Application Control (WDAC) to restrict MpCmdRun.exe execution to only the SYSTEM account and specific authorized security scripts. Preventing low-privileged users from triggering the executable can break the exploit chain.
• Disable Antivirus Services (Critical Infrastructure Only): In highly sensitive environments where the risk of exploit outweighs the risk of malware temporarily, and where alternative EDR solutions are in place, organizations may consider temporarily disabling the Microsoft Defender Antivirus Service (WinDefend) until patches are available. This is a drastic measure and requires a rigorous risk assessment.

3. Threat Hunting:

• Immediately run the Sigma rules and KQL queries provided above across your environment.
• Investigate any instances of MpCmdRun.exe spawning cmd.exe or powershell.exe.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub