diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx new file mode 100644 index 000000000..4431367fd Binary files /dev/null and b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx differ diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json new file mode 100644 index 000000000..deecfd984 --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-17T05:24:53.092051Z" + } + }, + "EventRecordID": 83239, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "EXE", + "UtcTime": "2026-04-17 05:24:53.079", + "ProcessGuid": "0197231E-C424-69E1-C922-000000000800", + "ProcessId": 15596, + "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{05A3207F-23AB-432D-BDAF-69A8306619CF}\\TieringEngineService.exe", + "CreationUtcTime": "2026-04-17 05:24:53.079", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml new file mode 100644 index 000000000..424b70e2b --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml @@ -0,0 +1,13 @@ +id: a86306af-137b-427f-9e39-680199937bd0 +description: N/A +date: 2026-04-17 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d + title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx new file mode 100644 index 000000000..eeadeee7c Binary files /dev/null and b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx differ diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json new file mode 100644 index 000000000..cfe098325 --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 17, + "Version": 1, + "Level": 4, + "Task": 17, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-17T05:24:53.088849Z" + } + }, + "EventRecordID": 83237, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "CreatePipe", + "UtcTime": "2026-04-17 05:24:53.079", + "ProcessGuid": "0197231E-C424-69E1-C922-000000000800", + "ProcessId": 15596, + "PipeName": "\\REDSUN", + "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml new file mode 100644 index 000000000..7876884ec --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml @@ -0,0 +1,13 @@ +id: 8e35c907-231e-46e5-bf0f-9e724ce93279 +description: N/A +date: 2026-04-17 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b + title: RedSun - Named Pipe Created +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx new file mode 100644 index 000000000..aef8e4aa8 Binary files /dev/null and b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx differ diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json new file mode 100644 index 000000000..e3eb79c73 --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json @@ -0,0 +1,89 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Windows Defender", + "Guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78" + } + }, + "EventID": 1119, + "Version": 0, + "Level": 2, + "Task": 0, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-17T04:14:33.653414Z" + } + }, + "EventRecordID": 542, + "Correlation": { + "#attributes": { + "ActivityID": "6B3DFF46-F4E6-4CDA-983B-76B101728AA5" + } + }, + "Execution": { + "#attributes": { + "ProcessID": 7380, + "ThreadID": 12856 + } + }, + "Channel": "Microsoft-Windows-Windows Defender/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "Product Name": "Microsoft Defender Antivirus", + "Product Version": "4.18.26030.3011", + "Detection ID": "{79C5C2FF-764A-4F0D-940E-A6914A52C0F9}", + "Detection Time": "2026-04-17T04:14:08.003Z", + "Unused": "", + "Unused2": "", + "Threat ID": "17463", + "Threat Name": "Tool:Win32/EICAR_Test_File", + "Severity ID": "5", + "Severity Name": "Severe", + "Category ID": "34", + "Category Name": "Tool", + "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Tool:Win32/EICAR_Test_File&threatid=17463&enterprise=0", + "Status Code": "103", + "Status Description": "", + "State": "5", + "Source ID": "3", + "Source Name": "Real-Time Protection", + "Process Name": "C:\\Users\\xodih\\Downloads\\RedSun.exe", + "Detection User": "swachchhanda\\xodih", + "Unused3": "", + "Path": "file:_C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{C6E9CA10-8D55-41A1-AD3D-F14D118B68C7}\\TieringEngineService.exe", + "Origin ID": "1", + "Origin Name": "Local machine", + "Execution ID": "1", + "Execution Name": "Suspended", + "Type ID": "0", + "Type Name": "Concrete", + "Pre Execution Status": "3", + "Action ID": "2", + "Action Name": "Quarantine", + "Unused4": "", + "Error Code": "0x80070020", + "Error Description": "The process cannot access the file because it is being used by another process.", + "Unused5": "", + "Post Clean Status": "3", + "Additional Actions ID": "0", + "Additional Actions String": "No additional actions required", + "Remediation User": "NT AUTHORITY\\SYSTEM", + "Unused6": "", + "Security intelligence Version": "AV: 1.449.142.0, AS: 1.449.142.0, NIS: 1.449.142.0", + "Engine Version": "AM: 1.1.26030.3008, NIS: 1.1.26030.3008" + } + } +} diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml new file mode 100644 index 000000000..7e329ae38 --- /dev/null +++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml @@ -0,0 +1,13 @@ +id: da6fdf7c-8cea-4daf-be02-38c22f8cf494 +description: N/A +date: 2026-04-17 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c + title: RedSun - TieringEngineService.exe Detected as EICAR Test File +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx diff --git a/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml new file mode 100644 index 000000000..3e61111bd --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml @@ -0,0 +1,34 @@ +title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir +id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d +status: experimental +description: | + Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic + of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). + RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain. + + The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, + making the combination of this path prefix and the TieringEngineService.exe filename a highly + specific indicator of RedSun activity. +references: + - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591 + - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html +author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost +date: 2026-04-17 +tags: + - attack.defense-evasion + - attack.t1036.005 + - detection.emerging-threats +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains|all: + - '\Temp' + - '\RS-{' + TargetFilename|endswith: '\TieringEngineService.exe' + condition: selection +falsepositives: + - Unlikely +level: critical +regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml diff --git a/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml new file mode 100644 index 000000000..a2e8e44db --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml @@ -0,0 +1,31 @@ +title: RedSun - Named Pipe Created +id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b +status: experimental +description: | + Detects the creation of a named pipe with the hardcoded name "REDSUN". + The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. + RedSun creates the pipe as \\??\pipe\REDSUN. + The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. + Presence of this pipe name indicates active or recent RedSun execution. +references: + - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591 + - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html +author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost +date: 2026-04-17 +tags: + - attack.privilege-escalation + - attack.t1055 + - attack.t1562.001 + - attack.defense-evasion + - detection.emerging-threats +logsource: + category: pipe_created + product: windows +detection: + selection: + PipeName: '\REDSUN' + condition: selection +falsepositives: + - Unlikely +level: critical +regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml diff --git a/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml new file mode 100644 index 000000000..0ccae7c08 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml @@ -0,0 +1,63 @@ +title: RedSun - Conhost.exe Spawned by TieringEngineService.exe +id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a +status: experimental +description: | + Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. + Observed process chain + services.exe + → TieringEngineService.exe + → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) + → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session) + + Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: + After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance + / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). + This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then + calls CreateProcessAsUser to spawn conhost.exe with no arguments. + + Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): + The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. + On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. + The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions. +references: + - https://github.com/Nightmare-Eclipse/RedSun +author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost +date: 2026-04-17 +tags: + - attack.privilege-escalation + - attack.t1134.002 + - attack.defense-evasion + - attack.t1036.005 + - detection.emerging-threats +logsource: + category: process_creation + product: windows + definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule' +detection: + # Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments + selection_tiering_to_conhost: + ParentImage|endswith: '\TieringEngineService.exe' + Image|endswith: '\conhost.exe' + CommandLine|endswith: 'conhost.exe"' + User|contains: + - 'AUTHORI' + - 'AUTORI' + - '$' + # Stage 2: full three-level chain for EDR sources that expose GrandParentImage + # GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process + selection_shell_full_chain: + GrandParentImage|endswith: '\TieringEngineService.exe' + ParentImage|endswith: '\conhost.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + User|contains: + - 'AUTHORI' + - 'AUTORI' + - '$' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml new file mode 100644 index 000000000..e0e43bff1 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml @@ -0,0 +1,50 @@ +title: RedSun - TieringEngineService.exe Detected as EICAR Test File +id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c +status: experimental +description: | + Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe + dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. + This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based + AV bypass/privilege escalation tool. + + RedSun works as follows: + 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ + 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger + a Defender scan and remediation attempt + 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file + 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open + 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect + \\?\C:\Windows\System32 to the attacker-controlled temp path + 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges +references: + - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L605 + - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-04-17 +tags: + - attack.defense-evasion + - attack.t1036.005 + - attack.t1562.001 + - attack.privilege-escalation + - attack.t1055 + - detection.emerging-threats +logsource: + product: windows + service: windefend +detection: + # EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software + # Path field from event: file:_C:\Users\\AppData\Local\Temp\\RS-{GUID}\TieringEngineService.exe + # Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation + selection_eid: + EventID: 1119 + SourceName: 'Real-Time Protection' + selection_susp_path: + Path|endswith: '\TieringEngineService.exe' + ThreatName|endswith: 'EICAR_Test_File' + selection_susp_process: + ProcessName|endswith: '\RedSun.exe' + condition: selection_eid and 1 of selection_susp_* +falsepositives: + - Unlikely +level: critical +regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml