Critical Update: Active Exploitation of Defender Zero-Days (BlueHammer, RedSun, UnDefend)

Just caught the latest report from Huntress regarding three zero-day vulnerabilities in Microsoft Defender that are currently under active exploitation. The flaws—codenamed BlueHammer, RedSun, and UnDefend—were disclosed by researcher Chaotic Eclipse. While details are still emerging, the consensus is that these allow threat actors to elevate privileges on already compromised systems.

The primary vector involves leveraging how Defender handles specific scanning operations or file parsing, effectively turning the AV against itself to gain SYSTEM-level access. The kicker is that two of these (RedSun and UnDefend) are currently unpatched, leaving a gap for attackers until Microsoft releases a fix.

Since we can't rely on a patch for all three immediately, we need to focus on containment and detection of the initial access vector, as the privilege escalation might be silent if the AV is bypassed.

I recommend auditing your endpoints for unusual child processes spawned by the Defender engine. While MsMpEng.exe spawning cmd.exe isn't always malicious, in this context, it’s a massive red flag.

Here is a basic KQL query for Sentinel/MDE users to hunt for suspicious process lineage:

DeviceProcessEvents
| where InitiatingProcessFileName == "MsMpEng.exe"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, FileName, InitiatingProcessCommandLine, ProcessCommandLine

Additionally, ensure you are monitoring for modifications to Defender's exclusion lists, as actors often add exclusions to pave the way for these exploits.

How is everyone handling the gap for the two unpatched flaws? Are you considering disabling specific Defender features temporarily, or just relying on strict privilege management (LAPS, removing local admins) to stop the initial foothold?