Introduction

Endpoint security tools are designed to protect the system — but what happens when those same tools become the attack vector?

In 2026, we're seeing a shift in attacker methodology. Instead of bypassing security controls, adversaries are increasingly abusing trusted security processes themselves — leveraging their privileges, access, and implicit trust.

This article explores three emerging techniques:

  • BlueHammer (CVE-2026–33825) — patched LPE via Defender remediation
  • RedSun (0-day) — unpatched LPE via Cloud Files abuse
  • UnDefend — stealth persistence via Defender update suppression

We'll break each one down from a SOC and detection engineering perspective, with practical Splunk hunting queries you can run today.

Part 1: The LPE "Double Feature" — BlueHammer & RedSun

The Core Primitive: Junction-to-System32 Redirect

At the heart of both exploits is a simple but powerful concept:

Abusing NTFS junction points to redirect privileged writes into C:\Windows\System32

This works because:

  • Defender runs as SYSTEM
  • It performs file operations on attacker-controlled paths
  • NTFS junctions allow path redirection at runtime

If an attacker can redirect a Defender write operation into System32, they effectively gain privileged file write → full system compromise.

BlueHammer (CVE-2026–33825)

How It Works

BlueHammer targets Defender's threat remediation engine.

Attack flow:

  1. Trigger Defender scan on a controlled file
  2. Use a Batch OPLOCK to pause Defender mid-operation
  3. Replace the directory with a junction → System32
  4. Defender resumes and writes attacker-controlled content as SYSTEM

Detection & Hunting (Splunk)

1. The "Junction Swap" Signal

Users rarely create junctions in Temp or Downloads — this is high-signal activity.

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
| eval cmd=coalesce(CommandLine, process_command_line)
| where like(cmd,"%mklink%") AND like(cmd,"%/j%")
| where like(cmd,"%Temp%") OR like(cmd,"%Downloads%") OR like(cmd,"%AppData\\Local\\Temp%")
| stats count values(Computer) as hosts values(User) as users values(ParentImage) as parent_process values(cmd) as command_lines by Image
| sort - count

2. The "System32 Mutation" Signal

Detect Defender writing into System32.

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=11 OR EventCode=15)
| eval proc=coalesce(Image, ProcessName)
| eval target=coalesce(TargetFilename, FileName)
| where like(proc,"%MsMpEng.exe%") AND like(target,"%\\Windows\\System32\\%")
| stats count values(Computer) as hosts values(User) as users values(target) as target_files by proc
| sort - count

3. Critical Binary Overwrite Detection

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=11 OR EventCode=15)
| eval proc=coalesce(Image, ProcessName)
| eval target=coalesce(TargetFilename, FileName)
| where like(proc,"%MsMpEng.exe%")
| where like(target,"%TieringEngineService.exe%") OR like(target,"%Winlogon.exe%") OR like(target,"%services.exe%")
| stats count values(Computer) as hosts values(User) as users values(target) as target_files by proc
| sort - count

Defense & Hardening

  • Patch April 2026 updates (BlueHammer)
  • Enable ASR rule: Block unauthorized processes from writing to system folders
  • Monitor Defender behavior — not just attacker processes

RedSun (0-Day)

How It Works

RedSun abuses Defender's Cloud Files restoration logic.

Attack flow:

  1. Register fake sync root via cldapi.dll
  2. Tag file as cloud-backed
  3. Defender attempts restore
  4. Redirect restore path via junction → System32
  5. Defender overwrites system binary as SYSTEM

Detection & Hunting (Splunk)

Cloud Files / cldapi.dll Activity

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7
| eval loaded=coalesce(ImageLoaded, LoadedModuleName)
| where like(loaded,"%cldapi.dll%")
| stats count values(Computer) as hosts values(User) as users values(Image) as loading_process by loaded
| sort - count

Suspicious Cloud Sync Activity

index=* ("Cloud Files" OR "Sync Root" OR "CfRegisterSyncRoot")
| eval proc=coalesce(Image, ProcessName)
| eval cmd=coalesce(CommandLine, ProcessCommandLine)
| stats count values(host) as hosts values(proc) as processes values(cmd) as command_lines by _time
| sort - _time

Why RedSun Is Worse

  • No timing dependency (no OPLOCK)
  • Uses legitimate Windows APIs
  • Currently unpatched

This makes it:

  • More stable
  • Harder to detect
  • Ideal for real-world exploitation

Part 2: The "Silent Freeze" — UnDefend

A Different Threat Model

UnDefend isn't about privilege escalation.

It's about blinding your defenses while everything looks normal.

How It Works

UnDefend blocks Defender updates by:

  • Manipulating registry keys
  • Disrupting update mechanisms
  • Faking update state

Result:

  • Defender stops updating
  • System appears healthy
  • Security silently degrades over time

Detection & Hunting (Splunk)

1. Registry "Smoking Gun"

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13
| eval target=coalesce(TargetObject, RegistryPath)
| eval details=coalesce(Details, RegistryValueData)
| search target="*SERIOUSLYMSFT*" OR details="*SERIOUSLYMSFT*"
| stats count values(Computer) as hosts values(User) as users values(target) as registry_keys by Image
| sort - count

2. Defender Registry Tampering

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13
| eval target=coalesce(TargetObject, RegistryPath)
| where like(target,"%Windows Defender%") OR like(target,"%Signature Updates%")
| stats count values(Computer) as hosts values(User) as users values(target) as modified_keys by Image
| sort - count

3. Update Failure Clusters

index=* ("80070643" OR "Defender update failed" OR "Security Intelligence Update")
| stats count earliest(_time) as first_seen latest(_time) as last_seen by host
| where count >= 3
| convert ctime(first_seen) ctime(last_seen)
| sort - count

4. Defender Version Drift

index=* ("AMServiceVersion" OR "AntivirusSignatureVersion")
| rex field=_raw "AMServiceVersion\s*[:=]\s*(?<AMServiceVersion>[^\s,]+)"
| rex field=_raw "AntivirusSignatureVersion\s*[:=]\s*(?<AntivirusSignatureVersion>[^\s,]+)"
| stats latest(AMServiceVersion) as AMServiceVersion latest(AntivirusSignatureVersion) as AntivirusSignatureVersion by host
| sort host

Defense & Hardening

1. Tamper Protection (Critical)

  • Enable via Intune or GPO
  • Prevents registry manipulation

2. External Validation

  • Don't trust endpoint reporting alone
  • Validate updates centrally

3. Baseline Monitoring

  • Track Defender versions across all endpoints
  • Alert on drift

SOC Analyst Checklist

Immediate Actions

  • Hunt for mklink /j activity
  • Monitor Defender (MsMpEng.exe) writing to System32
  • Audit Defender registry changes
  • Identify update failures across fleet
  • Baseline Defender versions

Key Monitoring Areas

  • NTFS junction creation
  • Defender file write behavior
  • Registry modifications
  • Cloud Files API usage

GPO / Security Settings

  • Tamper Protection → Enabled
  • ASR Rules → Enforced
  • Update Policies → Not bypassed

Conclusion: A Shift in Tradecraft

We are entering a phase where attackers no longer need to defeat security tools.

They just need to redirect them.

Defender and tools like it operate with:

  • Elevated privileges
  • Deep system access
  • Implicit trust

That makes them ideal targets.

Final Thought

Detection in 2026 isn't just about spotting malware. It's about questioning what your trusted processes are doing.

Because the next breach might not come from something unknown…

…it might come from something you already trust.