Caught, Quarantined, Re-installed: RedSun turns Microsoft Defender on itself
Summary
A new proof-of-concept exploit named 'RedSun' has been disclosed, which abuses Microsoft Defender's handling of cloud-tagged files to escalate privileges. The exploit leverages a flaw where Defender attempts to restore rather than delete certain flagged files, allowing attackers to overwrite system files and gain SYSTEM-level privileges.
IFF Assessment
This vulnerability allows attackers to exploit a security product, Microsoft Defender, to gain elevated privileges on victim systems, which is detrimental to defenders.
Severity
This Local Privilege Escalation (LPE) vulnerability allows an attacker with local access to elevate their privileges to SYSTEM. The attack vector is local, and while it requires specific conditions (cloud-tagged files, timing), the impact is high, leading to complete system compromise. CVSS v3.1 base score estimated as High (7.8).
Defender Context
This RedSun exploit highlights a critical flaw in Microsoft Defender's remediation process, allowing attackers to turn the antivirus against itself to achieve privilege escalation. Defenders need to be aware of this technique and monitor for any indicators of compromise related to file restoration processes and attempts to overwrite system binaries.