Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatcriticalexperimental

RedSun - TieringEngineService.exe Detected as EICAR Test File

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Apr 17a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c2026
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic3 selectors
detection:
    # EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software
    # Path field from event: file:_C:\Users\<user>\AppData\Local\Temp\<n>\RS-{GUID}\TieringEngineService.exe
    # Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation
    selection_eid:
        EventID: 1119
        SourceName: 'Real-Time Protection'
    selection_susp_path:
        Path|endswith: '\TieringEngineService.exe'
        ThreatName|endswith: 'EICAR_Test_File'
    selection_susp_process:
        ProcessName|endswith: '\RedSun.exe'
    condition: selection_eid and 1 of selection_susp_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
2
Resolving title…
deadeclipse666.blogspot.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
Status
experimental
Level
critical
Type
Emerging Threat
Created
Fri Apr 17
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml
Raw Tags
attack.defense-evasionattack.t1036.005attack.t1562.001attack.privilege-escalationattack.t1055detection.emerging-threats
View on GitHub