Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)

Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments.

Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

Read More

Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.

Read More

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool.

RedSun works as follows:

1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

Read More

Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.

The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.

Read More