Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
Modification of the /proc/sys/kernel/randomize_va_space file
Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
Event ID 453: Package blocked by a platform policy.
Event ID 454: Package blocked by a platform policy.

Potential SolidPDFCreator.DLL Sideloading

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001 ·

Share on:

Apr 28, 2026 · attack.defense-impairment ·

Share on:

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

PPL Tampering Via WerFaultSecure

Apr 28, 2026 · attack.defense-impairment attack.t1685 attack.credential-access attack.t1003.001 ·

Share on:

Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool:

WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.

RDP Sensitive Settings Changed

Apr 28, 2026 · attack.persistence attack.defense-impairment attack.t1112 ·

Share on:

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Below is a list of registry keys/values that are monitored by this rule:

Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
fAllowUnsolicited: Allows unsolicited remote assistance offers.
fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
SecurityLayer: Specifies the security layer used for RDP connections.

RDP Sensitive Settings Changed to Zero

Apr 28, 2026 · attack.persistence attack.defense-impairment attack.t1112 ·

Share on:

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

RedMimicry Winnti Playbook Registry Manipulation

Apr 28, 2026 · attack.persistence attack.defense-impairment attack.t1112 ·

Share on:

Detects actions caused by the RedMimicry Winnti playbook

RedSun - Conhost.exe Spawned by TieringEngineService.exe

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.t1134.002 attack.t1036.005 detection.emerging-threats ·

Share on:

Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)

Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments.

Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

RedSun - Named Pipe Created

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.defense-impairment attack.t1055 attack.t1685 detection.emerging-threats ·

Share on:

Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.

RedSun - TieringEngineService.exe Detected as EICAR Test File

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1036.005 attack.t1685 attack.privilege-escalation attack.t1055 detection.emerging-threats ·

Share on:

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool.

RedSun works as follows:

Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt
Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
During the oplock break window, RedSun swaps the mount point (junction) to redirect \?\C:\Windows\System32 to the attacker-controlled temp path
This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Apr 28, 2026 · attack.stealth attack.t1036.005 detection.emerging-threats ·

Nov 26, 2025 · attack.credential-access attack.t1552.006 ·

Share on: