Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators

new: RedSun - Named Pipe Created new: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir new: RedSun - Conhost.exe Spawned by TieringEngineService.exe new: RedSun - TieringEngineService.exe Detected as EICAR Test File --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2026-04-28 07:07:30 +05:45
parent fd33ea32e7
commit fcb2aead3a
13 changed files with 408 additions and 0 deletions
@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T05:24:53.092051Z"
+        }
+      },
+      "EventRecordID": 83239,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "EXE",
+      "UtcTime": "2026-04-17 05:24:53.079",
+      "ProcessGuid": "0197231E-C424-69E1-C922-000000000800",
+      "ProcessId": 15596,
+      "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{05A3207F-23AB-432D-BDAF-69A8306619CF}\\TieringEngineService.exe",
+      "CreationUtcTime": "2026-04-17 05:24:53.079",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: a86306af-137b-427f-9e39-680199937bd0
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
+      title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx
@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 17,
+      "Version": 1,
+      "Level": 4,
+      "Task": 17,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T05:24:53.088849Z"
+        }
+      },
+      "EventRecordID": 83237,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "CreatePipe",
+      "UtcTime": "2026-04-17 05:24:53.079",
+      "ProcessGuid": "0197231E-C424-69E1-C922-000000000800",
+      "ProcessId": 15596,
+      "PipeName": "\\REDSUN",
+      "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: 8e35c907-231e-46e5-bf0f-9e724ce93279
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
+      title: RedSun - Named Pipe Created
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx
@@ -0,0 +1,89 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Windows Defender",
+          "Guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"
+        }
+      },
+      "EventID": 1119,
+      "Version": 0,
+      "Level": 2,
+      "Task": 0,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T04:14:33.653414Z"
+        }
+      },
+      "EventRecordID": 542,
+      "Correlation": {
+        "#attributes": {
+          "ActivityID": "6B3DFF46-F4E6-4CDA-983B-76B101728AA5"
+        }
+      },
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 7380,
+          "ThreadID": 12856
+        }
+      },
+      "Channel": "Microsoft-Windows-Windows Defender/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "Product Name": "Microsoft Defender Antivirus",
+      "Product Version": "4.18.26030.3011",
+      "Detection ID": "{79C5C2FF-764A-4F0D-940E-A6914A52C0F9}",
+      "Detection Time": "2026-04-17T04:14:08.003Z",
+      "Unused": "",
+      "Unused2": "",
+      "Threat ID": "17463",
+      "Threat Name": "Tool:Win32/EICAR_Test_File",
+      "Severity ID": "5",
+      "Severity Name": "Severe",
+      "Category ID": "34",
+      "Category Name": "Tool",
+      "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Tool:Win32/EICAR_Test_File&threatid=17463&enterprise=0",
+      "Status Code": "103",
+      "Status Description": "",
+      "State": "5",
+      "Source ID": "3",
+      "Source Name": "Real-Time Protection",
+      "Process Name": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "Detection User": "swachchhanda\\xodih",
+      "Unused3": "",
+      "Path": "file:_C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{C6E9CA10-8D55-41A1-AD3D-F14D118B68C7}\\TieringEngineService.exe",
+      "Origin ID": "1",
+      "Origin Name": "Local machine",
+      "Execution ID": "1",
+      "Execution Name": "Suspended",
+      "Type ID": "0",
+      "Type Name": "Concrete",
+      "Pre Execution Status": "3",
+      "Action ID": "2",
+      "Action Name": "Quarantine",
+      "Unused4": "",
+      "Error Code": "0x80070020",
+      "Error Description": "The process cannot access the file because it is being used by another process.",
+      "Unused5": "",
+      "Post Clean Status": "3",
+      "Additional Actions ID": "0",
+      "Additional Actions String": "No additional actions required",
+      "Remediation User": "NT AUTHORITY\\SYSTEM",
+      "Unused6": "",
+      "Security intelligence Version": "AV: 1.449.142.0, AS: 1.449.142.0, NIS: 1.449.142.0",
+      "Engine Version": "AM: 1.1.26030.3008, NIS: 1.1.26030.3008"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: da6fdf7c-8cea-4daf-be02-38c22f8cf494
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
+      title: RedSun - TieringEngineService.exe Detected as EICAR Test File
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx
@@ -0,0 +1,34 @@
+title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
+id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
+status: experimental
+description: |
+    Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
+    of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
+    RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
+
+    The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
+    making the combination of this path prefix and the TieringEngineService.exe filename a highly
+    specific indicator of RedSun activity.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.defense-evasion
+    - attack.t1036.005
+    - detection.emerging-threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains|all:
+            - '\Temp'
+            - '\RS-{'
+        TargetFilename|endswith: '\TieringEngineService.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
@@ -0,0 +1,31 @@
+title: RedSun - Named Pipe Created
+id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
+status: experimental
+description: |
+    Detects the creation of a named pipe with the hardcoded name "REDSUN".
+    The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
+    RedSun creates the pipe as \\??\pipe\REDSUN.
+    The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
+    Presence of this pipe name indicates active or recent RedSun execution.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.privilege-escalation
+    - attack.t1055
+    - attack.t1562.001
+    - attack.defense-evasion
+    - detection.emerging-threats
+logsource:
+    category: pipe_created
+    product: windows
+detection:
+    selection:
+        PipeName: '\REDSUN'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
@@ -0,0 +1,63 @@
+title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
+id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
+status: experimental
+description: |
+    Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
+    Observed process chain
+      services.exe
+        → TieringEngineService.exe
+          → conhost.exe             (SYSTEM, CommandLine: bare path, no arguments)
+            → cmd.exe / shell       (SYSTEM, TerminalSessionId = attacker's session)
+
+    Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
+      After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
+      / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
+      This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
+      calls CreateProcessAsUser to spawn conhost.exe with no arguments.
+
+    Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
+      The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
+      On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
+      The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.privilege-escalation
+    - attack.t1134.002
+    - attack.defense-evasion
+    - attack.t1036.005
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
+detection:
+    # Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
+    selection_tiering_to_conhost:
+        ParentImage|endswith: '\TieringEngineService.exe'
+        Image|endswith: '\conhost.exe'
+        CommandLine|endswith: 'conhost.exe"'
+        User|contains:
+            - 'AUTHORI'
+            - 'AUTORI'
+            - '$'
+    # Stage 2: full three-level chain for EDR sources that expose GrandParentImage
+    # GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
+    selection_shell_full_chain:
+        GrandParentImage|endswith: '\TieringEngineService.exe'
+        ParentImage|endswith: '\conhost.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell_ise.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        User|contains:
+            - 'AUTHORI'
+            - 'AUTORI'
+            - '$'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,50 @@
+title: RedSun - TieringEngineService.exe Detected as EICAR Test File
+id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
+status: experimental
+description: |
+    Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
+    dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
+    This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
+    AV bypass/privilege escalation tool.
+
+    RedSun works as follows:
+      1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
+      2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
+         a Defender scan and remediation attempt
+      3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
+      4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
+      5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
+         \\?\C:\Windows\System32 to the attacker-controlled temp path
+      6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L605
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-17
+tags:
+    - attack.defense-evasion
+    - attack.t1036.005
+    - attack.t1562.001
+    - attack.privilege-escalation
+    - attack.t1055
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: windefend
+detection:
+    # EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software
+    # Path field from event: file:_C:\Users\<user>\AppData\Local\Temp\<n>\RS-{GUID}\TieringEngineService.exe
+    # Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation
+    selection_eid:
+        EventID: 1119
+        SourceName: 'Real-Time Protection'
+    selection_susp_path:
+        Path|endswith: '\TieringEngineService.exe'
+        ThreatName|endswith: 'EICAR_Test_File'
+    selection_susp_process:
+        ProcessName|endswith: '\RedSun.exe'
+    condition: selection_eid and 1 of selection_susp_*
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml