RedSun - Conhost.exe Spawned by TieringEngineService.exe

 1title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
 2id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
 3status: experimental
 4description: |
 5    Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
 6    Observed process chain
 7      services.exe
 8        → TieringEngineService.exe
 9          → conhost.exe             (SYSTEM, CommandLine: bare path, no arguments)
10            → cmd.exe / shell       (SYSTEM, TerminalSessionId = attacker's session)
11
12    Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
13      After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
14      / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
15      This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
16      calls CreateProcessAsUser to spawn conhost.exe with no arguments.
17
18    Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
19      The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
20      On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
21      The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.    
22references:
23    - https://github.com/Nightmare-Eclipse/RedSun
24author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
25date: 2026-04-17
26tags:
27    - attack.privilege-escalation
28    - attack.stealth
29    - attack.t1134.002
30    - attack.t1036.005
31    - detection.emerging-threats
32logsource:
33    category: process_creation
34    product: windows
35    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
36detection:
37    # Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
38    selection_tiering_to_conhost:
39        ParentImage|endswith: '\TieringEngineService.exe'
40        Image|endswith: '\conhost.exe'
41        CommandLine|endswith: 'conhost.exe"'
42        User|contains:
43            - 'AUTHORI'
44            - 'AUTORI'
45            - '$'
46    # Stage 2: full three-level chain for EDR sources that expose GrandParentImage
47    # GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
48    selection_shell_full_chain:
49        GrandParentImage|endswith: '\TieringEngineService.exe'
50        ParentImage|endswith: '\conhost.exe'
51        Image|endswith:
52            - '\cmd.exe'
53            - '\powershell_ise.exe'
54            - '\powershell.exe'
55            - '\pwsh.exe'
56        User|contains:
57            - 'AUTHORI'
58            - 'AUTORI'
59            - '$'
60    condition: 1 of selection_*
61falsepositives:
62    - Unknown
63level: high