MSRC SUBMITTED The research documented in this journal led to a formal vulnerability submission to Microsoft Security Response Center. Case VULN-195458. The techniques built from scratch during this engagement were reported through responsible disclosure.
OFFSEC = Offensive Security. The red team side of cybersecurity — attacking systems with permission to find weaknesses before real attackers do. This journal documents a full kill chain: reconnaissance, exploitation, privilege escalation, persistence, and lateral movement on a deliberately configured test machine.
I had access to a colleague's work laptop (target_laptop1) with explicit
permission. Rather than testing with an admin account — which would make everything
trivially easy — I logged in as a standard user account
to add real-world control.
The point: simulate how an attacker actually lands. A phishing link, a dodgy USB, a social engineering play — initial access almost always lands you as a standard user. If my tools only work from admin, they're not realistic.
I also deliberately set a PIN on the machine beforehand to test whether findings are reachable through a screen-locked session.
| property | value |
|---|---|
| Hostname | TARGET_LAPTOP1 |
| OS | Windows 11 Home, Build 26200 (24H2) |
| User | standard.user |
| Domain | WORKGROUP (no Active Directory) |
| IP | 192.168.1.145 |
| Hardware | GIGABYTE G7 GD, Intel i7-11800H, 16GB RAM |
I wanted to understand UAC config before doing anything else. UAC pops those "Do you want to allow this app to make changes?" dialogs. If misconfigured, privilege escalation gets easier.
ConsentPromptBehaviorAdmin 0x5 = UAC prompts for consent on secure desktop (default).
EnableLUA 0x1 = UAC enabled. Admin accounts run as standard until explicitly elevated.
Deduction: UAC is default. Not a bypass target. GaySun doesn't need to touch UAC — it bypasses it entirely by abusing Defender's SYSTEM-level file access.
Tamper Protection is the lock on Defender itself. When ON, you can't stop Defender's services even as admin — it blocks SCM calls. When OFF (as here), those calls go through once I have SYSTEM.
CRITICAL Tamper Protection = False. The single most important finding in the recon. Once I have SYSTEM access, I can stop Defender services programmatically. My evasion binary can blind Defender. Everything after that runs clean.
I am a nobody on this machine. BUILTIN\Users = standard user.
No admin. Medium integrity = can't write to system directories.
No SeDebugPrivilege. No SeImpersonatePrivilege.
Almost everything in my kill chain requires admin or SYSTEM. GaySun.exe (the TOCTOU escalation) is the ONLY viable path from here. Everything unlocks after that.
| finding | value | implication |
|---|---|---|
| OS Build | 26200 (24H2) | Latest Windows 11 — hardened defaults |
| VBS Status | Running | Hypervisor active |
| HVCI | Running | Kernel code integrity enforced |
| App Control (kernel) | Enforced | Unsigned kernel drivers blocked |
| App Control (user) | OFF | Unsigned user-mode .exe CAN run |
| Secure Boot | Enabled | Bootloader tamper blocked |
| DMA Protection | Enabled | PCIe DMA attacks blocked |
| Domain | WORKGROUP | No Active Directory |
VBS + HVCI = the big finding I didn't expect. The CPU's hypervisor creates a protected zone that the Windows kernel itself can't touch. Every kernel driver must be Microsoft-signed. Any attack that loads an unsigned kernel driver, patches kernel memory, or uses Mimikatz-style kernel credential theft is dead.
What it DOESN'T kill: Everything my chain does is user-mode.
CreateRemoteThread, DLL injection, service installation via SCM —
all Win32 API calls. The hypervisor doesn't watch user-space. And user-mode App
Control is OFF, so my unsigned binaries can execute.
TeamViewer: Already installed, running as a service (likely SYSTEM).
Post-SYSTEM, I could extract the TeamViewer ID and set a permanent unattended
password via registry — a more stable persistent backdoor than my custom VNC.
It's signed and trusted. Much less suspicious than vncserver.exe.
Dropbox: Syncs to cloud. Post-SYSTEM, any file I write to the Dropbox sync folder gets automatically exfiltrated. I could use a text file as a dead-drop C2 channel — implant polls the file for commands, writes results back. All traffic looks like normal Dropbox HTTPS to a CDN.
Always_Online = 0 means no permanent unattended password set.
Post-SYSTEM, I can write SecurityPasswordAES to the registry
to set a permanent password, converting TeamViewer into a persistent backdoor.
This is the linchpin of the whole chain. Everything depends on it working.
How it works: Windows Defender runs as SYSTEM — it can write files
anywhere, including C:\Windows\System32. I, as a standard user, cannot.
The trick: make Defender write MY file into System32 for me.
TieringEngineService.exeC:\Windows\System32 using an NTFS junctionSystem32\TieringEngineService.exeTieringEngineService via COM — it runs as SYSTEMconhost.exe in my session — interactive SYSTEM consoleWhy HVCI doesn't stop this: Every step is user-mode Win32 API. No kernel drivers. No kernel memory. This is a logic flaw in Defender's file handling, exploited entirely from user space.
Reverse TCP shell. Connects back to attacker on port 8080. Spawns hidden
cmd.exe with stdin/stdout/stderr piped through the socket.
Defender TOCTOU via CF_API + oplock + NTFS junction. Requires standard user access + Defender RealTimeProtection=True (the trigger). Fresh binary compiled this session. Test pending.
From SYSTEM: stops WinDefend, WdNisSvc, Sense,
WdBoot. Adds filesystem exclusions. Corrupts signature update metadata.
Prerequisite: Tamper Protection must be OFF — confirmed.
Installs as Windows service named SecurityHealthHost ("Windows Security
Health Host"). Auto-starts on boot, runs as SYSTEM. Launches reverse shell +
VNC callback. Service name spoofs a legitimate Windows component.
Classic DLL injection via CreateRemoteThread + LoadLibraryA.
Injects into explorer.exe — shell and VNC now appear to originate
from a trusted process. Harder to flag than a process spawned from temp.
Token theft + SAM hive dump. Enumerates processes, finds winlogon.exe (SYSTEM),
duplicates the token, dumps SAM registry hive (contains NTLM password hashes).
HVCI blocks kernel-mode credential theft but user-mode token duplication via
OpenProcessToken should still work from SYSTEM context.
PsExec from scratch. SMB authentication + remote service creation. Connects to target's IPC$ share, copies payload, creates and starts a remote service as SYSTEM. Scope on this network: WORKGROUP only, limited to 192.168.1.0/24.
Reverse VNC callback. Full graphical desktop of the target machine. Alternative: TeamViewer (already installed, runs as SYSTEM, harder to flag).
| stage | binary | status | notes |
|---|---|---|---|
| Delivery | spoolsv.exe | NEEDS IP | C2 IP hardcoded as 192.168.1.92 |
| Escalation | GaySun.exe | TEST PENDING | Fresh compile. 24H2 patch status unknown. |
| Evasion | svchost_update.exe | VIABLE | TP=False confirmed. Runs from SYSTEM. |
| Persistence | SecurityHealthHost.exe | VIABLE | Post-SYSTEM + Defender blind |
| Injection | Injector.exe | VIABLE | HVCI doesn't block user-mode injection |
| Credentials | TokenVault.exe | DEGRADED | HVCI blocks kernel path. User-mode token theft should work. |
| Lateral | NetExec.exe | LIMITED | WORKGROUP. Need credentials. 192.168.1.0/24 only. |
| VNC | vncserver.exe | VIABLE | Or use TeamViewer (already on target) |
The single gate: If GaySun.exe's TOCTOU works on Build 26200, the chain flows. If it fails, everything stalls at standard user and we need an alternative escalation path.
mkdir C:\Windows\Temp\c2\nc -lvp 8080The plan: take RedSun.cpp, mutate the hash, compile a clean binary Defender won't recognise by signature. I renamed the copy GaySun.cpp and started trying to build it. I did not use a pre-compiled binary. The whole point was a unique hash — Defender's cloud database has flagged known hashes.
I also had trouble with the constants initially. I tried 0xRAINMAN and
0xSUNSHINEGIRL. Oracle had to explain that hex only uses digits 0-9
and letters A-F. The "0x" prefix just means "this is hex." I re-encoded my
callsign as 0x1EA7A55 and used 0x80085 for the second.
The compiler found function declarations (.h header) but not the
implementations (.lib import library). Security functions live in
advapi32.lib, UI functions in user32.lib. Neither
was in the compile command.
| flag | purpose |
|---|---|
| /O1 | Optimise for size (smaller = lower entropy = less suspicious) |
| /GS- | Disable stack canaries (might trip behavioral detection) |
| /DUNICODE /D_UNICODE | Force wide string APIs (fixes CopyFileA errors) |
| ole32.lib | COM: CoCreateInstance, CoInitialize |
| advapi32.lib | Security: token functions, SID functions |
| user32.lib | UI: wsprintfW (string formatting) |
| error | cause | fix | lesson |
|---|---|---|---|
| LNK2019 | Missing library files | Add advapi32.lib user32.lib | Header declares function. .lib provides code. Both required. |
| STATUS_* undeclared | Windows.h/ntstatus.h collision | WIN32_NO_STATUS guard | Include order matters. Two headers defining same names need conflict resolution. |
| CopyFileA mismatch | UNICODE not defined | /DUNICODE /D_UNICODE | Windows has two string ABIs. wchar_t code needs W macros. |
GaySun.exe was deployed on target_laptop1. Defender flagged it.
| detection point | meaning | fix |
|---|---|---|
| Quarantined at file drop | Signature match despite hash mutation | Need different binary entirely |
| Blocked during run | CF_API TOCTOU patched on Build 26200 | Need different escalation technique |
DETECTED
Detection name: Exploit:Win32/DfndrPERedSun.BC. The .BC
variant tag means Microsoft has a dedicated rule for this entire exploit family —
not just one hash.
Three Semester 2 POCs in the existing codebase provide alternate escalation paths. None depend on the CF_API TOCTOU pattern that GaySun uses.
Uses CfAbortOperation() instead of GaySun's oplock + VSS approach.
Same CF_API abuse class but a different code path through Windows. If Microsoft's
patch targeted the specific oplock/VSS flow, GreenPlasma may still land.
C# (.NET) implementation. Uses AbortHydration flag + anonymous token
impersonation. Completely different binary format — Defender behavioral signatures
are tuned separately for managed vs native code.
Recon sweep found HKClipSvc — a third-party ControlCenter service
with path C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe.
If stored without quotes in the registry AND any parent directory is writable →
Windows will find and execute a binary named Program.exe or
ControlCenter.exe in a writable path. No compile needed.
All 8 source files annotated line-by-line in plain English. Four bugs found that would silently break the kill chain at deployment time. All fixed.
Environment variables aren't expanded when written to registry string values.
The exclusion was adding the literal string C:\Users\%USERNAME%\Desktop
which doesn't exist as a real path.
One dropped session = permanent loss of access until reboot. For a tool meant to persist, this is critical.
Running Injector.exe payload.dll passes a relative path to
LoadLibraryA inside explorer.exe. LoadLibraryA
searches explorer.exe's working directory (not the caller's).
Fix: always supply absolute path:
Injector.exe C:\Windows\Temp\c2\payload.dll
| file | key concepts covered |
|---|---|
| GaySun_annotated.cpp | TOCTOU, CF_API, oplock, NTFS junction, named pipe IPC |
| shadow_shell_annotated.c | Winsock init, STARTF_USESTDHANDLES, WinMain vs main |
| shadow_evasion_annotated.c | SCM service stop, registry write, Tamper Protection |
| ghost_svc_annotated.c | Service lifecycle, SvcMain, SvcCtrlHandler, DoPayload |
| injector_annotated.c | CreateToolhelp32Snapshot, VirtualAllocEx, CreateRemoteThread |
| payload_dll_annotated.c | DllMain, DLL_PROCESS_ATTACH, Loader Lock |
| shadow_token_annotated.c | SeDebugPrivilege, token duplication, SAM dump |
| shadow_lateral_annotated.c | WNetAddConnection2A, remote SCM, PsExec pattern |
GaySun.exe was flagged as Exploit:Win32/DfndrPERedSun.BC at file drop.
The detection name breaks down: DfndrPE = Defender PE analysis,
RedSun = the exact exploit family, .BC = variant tag.
| layer | what it checks | how to beat it |
|---|---|---|
| 1. Hash IOC | SHA256 of binary | Recompile (any code change) |
| 2. String signatures | Known strings in .rdata section | Rename/encrypt strings |
| 3. PE structure | Import table, section layout, code patterns | Different compiler flags, different imports |
| 4. Behavioral | API call sequences at runtime | Different technique entirely |
Recompiling beats layer 1. We attacked layer 2. Layers 3-4 still caught us.
| original | replacement | method |
|---|---|---|
| \\??\\pipe\\REDSUN | \\??\\pipe\\GAYSUN | Find-replace |
| "The sun is shinning..." | "It's a Sunny Day... Not for you.." | Find-replace |
| SERIOUSLYMSFT | REINFORCEMENTS | Find-replace |
| "The red sun shall prevail." | "Unwise of you to think you could defeat the Sith." | Find-replace |
| TieringEngineService.exe | XOR-decoded at runtime (key 0x5A) | decode_tgt() helper |
STILL DETECTED
Conclusion: Defender's DfndrPERedSun rule isn't just matching
strings — it's profiling PE structure. The import table (CldApi.dll + ntdll.dll +
ole32.lib together = "CF_API TOCTOU exploit") and code patterns are fingerprinted
independently of string content.
Lesson: String mutation beats layer 2 but doesn't touch layers 3-4. To beat all layers, you need fundamentally different code — different imports, different structure, or a different technique entirely.
RoguePlanet: the latest exploit from Nightmare Eclipse (RedSun, GreenPlasma, BlueHammer, UnDefend, YellowKey, MiniPlasma). Released June 9 2026, hours after Microsoft's June Patch Tuesday.
| property | rogueplanet | redsun/gaysun |
|---|---|---|
| Trigger | Virtual disk (ISO/VHDX) mount | CF_API Cloud Files placeholder |
| Libraries | virtdisk.lib, taskschd.lib, bcrypt.lib | CldApi.lib |
| Bypasses May patch? | Yes | No |
| Source size | 5.7MB (embedded binary data) | 27KB |
DETECTED Compiled and immediately quarantined. 4 days from public release to full signature coverage. This is the critical insight.
| exploit | detection | time to signature |
|---|---|---|
| RedSun | DfndrPERedSun.BC | Days |
| RoguePlanet | DfndrRugPlnt.BB | ~4 days |
| GreenPlasma | Patched (CVE-2026-45586) | Patched June PT |
| MiniPlasma | CVE-2020-17103 | Known |
| BlueHammer | CVE-2026-33825 | Patched April 2026 |
Using someone else's published exploit code is a fundamentally losing strategy. Microsoft's response time is faster than our deployment cycle. The only path forward: write our own.
DfndrPE* pattern.
Every exploit in this engagement — RedSun, GreenPlasma, RoguePlanet, BlueHammer — abuses the same fundamental pattern:
IN PROGRESS Custom exploit architecture and implementation — design phase active. No published signatures exist for novel code.
This research is AI-augmented. LLMs (Claude Opus, locally-hosted models via Discord) are used throughout the research cycle — explaining Windows internals, mapping attack surfaces, parsing error output, and accelerating the feedback loop between hypothesis and test. The same way this research uses IDA Pro, WinDbg, Process Monitor, and Wireshark — it uses AI. They're all tools.
The methodology: identify a security boundary, query the AI for implementation-level detail ("how does AmsiScanBuffer validate its parameters?", "what's the full DLL search order when SafeDllSearchMode is enabled?", "which ETW providers feed Defender's behavioral engine?"), then verify every claim against Microsoft documentation, debugger output, and live testing. AI output that can't be reproduced on a real machine gets discarded. What survives becomes part of the exploit chain.
MSRC evaluates whether a vulnerability is real and reproducible — not whether the researcher used AI, a disassembler, or a whiteboard to find it. Bug bounty platforms don't disqualify AI-assisted findings. The vulnerability exists or it doesn't. The exploit works or it doesn't. How you found it is methodology, not merit.
The one rule: no code ships that I can't explain line by line. AI accelerates understanding. It doesn't replace it.
| stage | status | notes |
|---|---|---|
| Reconnaissance | COMPLETE | Full recon documented |
| GaySun compilation | COMPLETE | 4 attempts, all errors resolved |
| Source annotation | COMPLETE | All 8 sources annotated |
| Bug fixes | COMPLETE | 4 bugs patched in live sources |
| GaySun live test | DETECTED | Exploit:Win32/DfndrPERedSun.BC |
| String mutation | COMPLETE | 5 sig strings removed |
| Mutated GaySun test | STILL DETECTED | PE structure sigs survive string changes |
| RoguePlanet test | DETECTED | Signatured in 4 days |
| Custom exploit | ACTIVE | Writing from scratch — no published sigs exist |
George Wu. 22DIV. VADER. All testing on personally-owned hardware with explicit authorization. Responsible disclosure via MSRC. The defeats mapped the architecture. The architecture informed the pivots.