Malware written with the express purpose to compromise networks has long been a staple of hackers across the globe, but, in the Australian context, those same attackers are now relying on trusted tools to gain and maintain access.
“Think of it like this, the security guard is still standing at the front door, alert and capable, but someone has stolen the guard’s radio, copied the access card and is now using that trust to move through the building unnoticed,” Dan Broad, Head of Managed Security Operations at Fujitsu, said in the company’s recent April Threat Intelligence Report.
“That is the significance of recent research showing how attackers can abuse trusted security controls such as Microsoft Defender configurations, built-in Windows tools and administrative privileges to weaken detection and accelerate attacks.”
According to Broad, this matters locally because many organisations in Australia and New Zealand alike rely upon tools like Windows Defender. Additionally, those orgs that have invested in more modern security platforms need to make sure those systems cannot be weaponised against them.
Dawn of the RedSun
One publicly reported proof of concept – first published in April 2026 – is called RedSun. This is a privilege escalation technique that depends upon an attacker gaining an initial foothold, but once that’s gained, an attacker can abuse Windows Defender’s trusted remediation workflow
to gain SYSTEM-level privileges.
Because this relies upon a legitimate security process, detection is difficult. Similar tradecraft has been seen in previous intrusions – attackers gain low-level access, stage their tools in commonly used folders, rename binaries, and then move on to escalation.
“The lesson here is not that Defender is unsafe, as it remains a strong security control, but that any trusted tool can be abused if attackers gain access first,” Broad said.
“This reinforces the need for MFA, least privilege, Defender tamper protection, monitoring of exclusions or policy changes, detection of unusual SYSTEM activity, and blocking execution from user-writable directories.”
What to do
- Organisations in the ANZ region should take several steps to protect themselves.
- Review security tool governance in order to ascertain who can change security policies, exclusions and protections.
- Reduce privileged access, separate admin accounts, and strengthen MFA.
- Monitor trusted tool changes by setting up alerts for, new exclusions, disabled protections, service stoppages, suspicious PowerShell activity, and policy tampering.
- Enable tamper protection, centralised logging, and strong endpoint controls.
- Test under real-world conditions, including purple team exercises and incident simulations, to confirm that controls can actually detect misuse.
- Ensure you can rapidly rebuild endpoints, identities, and core services if trusted controls are compromised.
- Broad believes the question to ask now is not if you have the right tools, but rather can the organisation detect their misuse by malicious actors?
“For organisations across Australia and New Zealand, that shift matters now. Those that adapt early will be better placed to withstand ransomware, insider misuse, identity compromise and the next generation of low-noise attacks,” Broad said.
“The security guard is still valuable. But today, you also need cameras watching the guard room.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.