Sigma Rules
4 rules found for "RedSun"
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain. The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \\??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session) Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments. Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges