Exploitation for Priv-Esc × Microsoft Defender

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-04-17

Config / version noted

Not stated

Provenance

www.cyderes.com
disclosed 2026-04-17 · original source · via exa
lyrie.ai
disclosed 2026-05-07 · original source · via raw
purple-ops.io
disclosed 2026-04-22 · original source · via raw
github.com
disclosed 2026-04-19 · original source · via raw

Reported as

RedSun abuses a race condition in Microsoft Defender's real-time scanning to write an attacker-controlled binary to System32

Mechanism

RedSun exploits a race condition in Microsoft Defender's real-time scanning remediation path. It chains Volume Shadow Copy, batch oplocks, Cloud Files API placeholders, and NTFS junctions to intercept a privileged file write operation performed by Defender (running as SYSTEM) and redirect it to drop a malicious binary into C:\Windows\System32, which then executes as SYSTEM.

Detection & mitigation

Monitor for unexpected file creation events in C:\Windows\System32 originating from MsMpEng.exe (Defender's service process) using Sysmon Event ID 11 or Windows Security Event 4663 with a SACL on System32. Mitigate by applying vendor patches promptly and restricting write access to System32 to only trusted processes via Windows Defender Application Control or AppLocker.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.