RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

 1title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
 2id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
 3status: experimental
 4description: |
 5    Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
 6    of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
 7    RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
 8
 9    The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
10    making the combination of this path prefix and the TieringEngineService.exe filename a highly
11    specific indicator of RedSun activity.    
12references:
13    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
14    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
15author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
16date: 2026-04-17
17tags:
18    - attack.stealth
19    - attack.t1036.005
20    - detection.emerging-threats
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection:
26        TargetFilename|contains|all:
27            - '\Temp'
28            - '\RS-{'
29        TargetFilename|endswith: '\TieringEngineService.exe'
30    condition: selection
31falsepositives:
32    - Unlikely
33level: critical
34regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml