RedSun + The Mimic

Standard User -> SYSTEM -> EDR-Blind Persistent Access Zero admin required. Defender is the exploit.

This fork integrates Nightmare-Eclipse's RedSun EoP with The Mimic's Windows EDR neutralization suite. RedSun gets SYSTEM using Defender's own remediation as a write primitive. The Mimic makes that access permanent and invisible.

---

The Kill Chain

Standard User Account
        |
        | [Stage 1: RedSun]
        | Write EICAR -> trigger Defender scan
        | Defender creates Volume Shadow Copy
        | Batch oplock stalls remediation
        | NTFS junction redirects remediation write to System32
        | Defender writes attacker's exe to System32
        | COM activation launches it as SYSTEM
        |
        v
NT AUTHORITY\SYSTEM
        |
        | [Stage 2: Mimic Post-Exploit]
        | Resolve indirect syscalls (JMP to ntdll gadgets)
        | Blind ETW (EtwEventWrite -> xor rax,rax; ret)
        | Bypass AMSI (hardware breakpoint, no memory patch)
        | Load BYOVD driver (wsftprm.sys, not on blocklist)
        | Kill all EDR processes via kernel
        | Strip kernel callbacks via DKOM
        | Encrypt .text section with Ekko sleep
        | Module stomp into legitimate DLL
        |
        v
EDR-Blind Persistent Access

---

The Vulnerability (Nightmare-Eclipse)

Windows Defender's real-time protection has a remediation behavior where, upon detecting a malicious file with a cloud detection tag, it rewrites the detected file back to its original location. This is intended as a restoration mechanism.

The problem: if the original location has been replaced with an NTFS junction pointing to C:\Windows\System32, Defender follows the junction and writes the file into a privileged directory. Combined with a Cloud Files API placeholder and a Volume Shadow Copy oplock race, this gives a standard user arbitrary file write to System32.

The file written is TieringEngineService.exe -- a service binary for the Storage Tiers Management COM object. Activating this COM object launches the planted executable as SYSTEM.

No admin required. Defender is the write primitive.

Bug Fixes Applied to Original PoC

The original PoC had acknowledged bugs. This fork fixes:

1. MapViewOfFile incorrect flag -- PAGE_READONLY (0x02) replaced with FILE_MAP_READ (0x04)
2. Event synchronization race -- Removed redundant ResetEvent after SetEvent on auto-reset event
3. VSS scanner CPU spin -- Added Sleep(50) backoff in the Object Manager scan loop
4. NtCreateFile retry spin -- Added Sleep(10) in the STATUS_NO_SUCH_DEVICE retry loop
5. Memory leak -- tokenuser freed in IsRunningAsLocalSystem
6. Dead code removal -- Unused htimer variable removed

---

Post-Exploitation: The Mimic EDR Suite

Once SYSTEM is achieved, mimic_post_exploit.cpp deploys eight phases of EDR neutralization from The Mimic framework:

Phase	Technique	What It Defeats
1	Indirect Syscalls -- JMP to syscall;ret gadget inside ntdll	InstrumentationCallback, syscall monitoring, stack walking
2	ETW Blinding -- Patch EtwEventWrite to xor rax,rax; ret	.NET telemetry, PowerShell logging, Threat Intelligence ETW
3	Patchless AMSI -- Hardware breakpoint on AmsiScanBuffer (DR0)	AMSI scanning without triggering AMSI integrity checks
4	BYOVD Driver -- Load wsftprm.sys (signed, not on HVCI blocklist)	Driver Signing Enforcement (legitimate cert passes HVCI)
5	EDR Kill -- Kernel-level process termination via driver IOCTL	CrowdStrike, SentinelOne, Defender ATP, Carbon Black, Tanium, Trellix, Cylance, Elastic
6	DKOM Callbacks -- NULL out EDR entries in PspCreateProcessNotifyRoutine etc.	Kernel notification-based monitoring (drivers stay loaded, receive nothing)
7	Ekko Sleep -- RC4-encrypt .text via SystemFunction032 + timer queue	Memory scanning during idle (sees RW data, not executable code)
8	Module Stomping -- Overwrite .text of a legitimate loaded DLL	Memory region analysis (code appears "backed" by legit module)

After Phase 8, the system is blind. No EDR telemetry. No kernel callbacks. No AMSI scanning. No ETW events. The implant is invisible in memory and encrypted when idle.

---

Build

Requires Visual Studio Build Tools (cl.exe) or MinGW (g++).

build.bat

Produces:

• redsun.exe -- Stage 1: EoP exploit (standard user -> SYSTEM)
• mimic_deploy.exe -- Stage 2: EDR neutralization (requires SYSTEM)

Note: Stage 2 requires wsftprm.sys in the working directory or C:\Windows\Temp\ for BYOVD phases. Without the driver, Phases 4-6 fall back gracefully.

---

Files

File	Lines	Purpose
RedSun.cpp	777	EoP exploit -- Defender remediation abuse (Nightmare-Eclipse, bug-fixed)
mimic_post_exploit.cpp	380	Post-SYSTEM EDR neutralization deployer
mimic_syscalls_v2.h	600+	Indirect syscall engine + ETW + AMSI + Ekko + stack spoof
mimic_rootkit_v2.cpp	350+	BYOVD + DKOM + module stomping + EDR kill
mimic.h	400+	Core header -- config, types, NT API typedefs
TECHNICAL_ANALYSIS.md	--	Deep dive on the vulnerability and post-exploit chain
build.bat	--	MSVC/MinGW build script
redsun.jpg	--	Original artwork (Nightmare-Eclipse)

---

Credits

• RedSun vulnerability discovery and original PoC: Nightmare-Eclipse
• Bug fixes and Mimic post-exploitation integration: ACD421
• The Mimic framework: ACD421/The_Mimic -- full cross-platform implant framework (Windows + Android + iOS). Google VRP Status: "Working As Intended."

---

Educational Use Only

This software is released for educational and defensive research purposes. See LICENSE for terms. The techniques described here exist individually in documented offensive tooling and academic literature. Deployment against any system without explicit written authorization is prohibited.

If you are a defender: the TECHNICAL_ANALYSIS.md includes detection strategies for every phase of this kill chain.

---

2026 -- Independent Security Research