Wrote a technical breakdown of RedSun for nefariousplan.com: https://nefariousplan.com/posts/redsun-windows-defender-system-write
Covers the remediation-to-write primitive, the oplock race, SYSTEM-owned file creation, and the broader pattern of Defender's elevated cleanup surface being an attack vector. Also references BlueHammer for context on the trajectory.
Not trying to step on your work — attribution is explicit throughout. If anything is wrong or misrepresents the mechanism, open to corrections. The intent was to write a serious technical treatment that the security community can reference, since same-day unpatched deserves more than a tweet thread.
Posted to r/netsec and HN today.
— Kevlar / nefariousplan.com
Wrote a technical breakdown of RedSun for nefariousplan.com: https://nefariousplan.com/posts/redsun-windows-defender-system-write
Covers the remediation-to-write primitive, the oplock race, SYSTEM-owned file creation, and the broader pattern of Defender's elevated cleanup surface being an attack vector. Also references BlueHammer for context on the trajectory.
Not trying to step on your work — attribution is explicit throughout. If anything is wrong or misrepresents the mechanism, open to corrections. The intent was to write a serious technical treatment that the security community can reference, since same-day unpatched deserves more than a tweet thread.
Posted to r/netsec and HN today.
— Kevlar / nefariousplan.com