Read the full UnDefend.cpp and wrote a line-by-line breakdown covering what the published code does and what the README says you held back.
Key things in the analysis that aren't in other coverage:
- The FILE_SHARE_WRITE without FILE_SHARE_READ in UpdateBlockerThread — why this lets Windows Update write while blocking MsMpEng.exe from loading
- FILE_NOTIFY_CHANGE_SIZE specifically (not LAST_WRITE) — the race waits for content, not file creation
- TryLockBackup() killing the rollback path before any threads spawn
- The MSFT_MpComputerStatus WMI class as the likely target for the withheld console spoofing
- How UnDefend + BlueHammer compose without any coordination between the tools
The sync provider name change from SERIOUSLYMSFT (RedSun) to IHATEMICROSOFT (BlueHammer) is the one public trace across all three drops that nobody else noted.
https://nefariousplan.com/posts/undefend/
Read the full UnDefend.cpp and wrote a line-by-line breakdown covering what the published code does and what the README says you held back.
Key things in the analysis that aren't in other coverage:
The sync provider name change from SERIOUSLYMSFT (RedSun) to IHATEMICROSOFT (BlueHammer) is the one public trace across all three drops that nobody else noted.
https://nefariousplan.com/posts/undefend/