RedSun - TieringEngineService.exe Detected as EICAR Test File

 1title: RedSun - TieringEngineService.exe Detected as EICAR Test File
 2id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
 3status: experimental
 4description: |
 5    Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
 6    dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
 7    This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
 8    AV bypass/privilege escalation tool.
 9
10    RedSun works as follows:
11      1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
12      2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
13         a Defender scan and remediation attempt
14      3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
15      4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
16      5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
17         \\?\C:\Windows\System32 to the attacker-controlled temp path
18      6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges    
19references:
20    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L605
21    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
22author: Swachchhanda Shrawan Poudel (Nextron Systems)
23date: 2026-04-17
24tags:
25    - attack.stealth
26    - attack.defense-impairment
27    - attack.t1036.005
28    - attack.t1685
29    - attack.privilege-escalation
30    - attack.t1055
31    - detection.emerging-threats
32logsource:
33    product: windows
34    service: windefend
35detection:
36    # EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software
37    # Path field from event: file:_C:\Users\<user>\AppData\Local\Temp\<n>\RS-{GUID}\TieringEngineService.exe
38    # Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation
39    selection_eid:
40        EventID: 1119
41        SourceName: 'Real-Time Protection'
42    selection_susp_path:
43        Path|endswith: '\TieringEngineService.exe'
44        ThreatName|endswith: 'EICAR_Test_File'
45    selection_susp_process:
46        ProcessName|endswith: '\RedSun.exe'
47    condition: selection_eid and 1 of selection_susp_*
48falsepositives:
49    - Unlikely
50level: critical
51regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml