Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,731

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 3.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Using Splunk · Default · sigma-cli 3.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion3.0.2

title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
status: experimental
description: |
    Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
    of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
    RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.

    The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
    making the combination of this path prefix and the TieringEngineService.exe filename a highly
    specific indicator of RedSun activity.
references:
    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
    - attack.defense-evasion
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\Temp'
            - '\RS-{'
        TargetFilename|endswith: '\TieringEngineService.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml