From fcb2aead3a69c34ca80554230cf87a05dd05c43b Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 07:07:30 +0545
Subject: [PATCH] Merge PR #5941 from @swachchhanda000 - Add RedSun Execution
 Indicators

new: RedSun - Named Pipe Created
new: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
new: RedSun - Conhost.exe Spawned by TieringEngineService.exe
new: RedSun - TieringEngineService.exe Detected as EICAR Test File

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 .../f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx | Bin 0 -> 69632 bytes
 .../f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json |  51 ++++++++++
 .../info.yml                                  |  13 +++
 .../9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx | Bin 0 -> 69632 bytes
 .../9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json |  51 ++++++++++
 .../info.yml                                  |  13 +++
 .../a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx | Bin 0 -> 69632 bytes
 .../a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json |  89 ++++++++++++++++++
 .../info.yml                                  |  13 +++
 ...le_event_win_exploit_redsun_indicators.yml |  34 +++++++
 ..._created_win_exploit_redsun_named_pipe.yml |  31 ++++++
 ..._win_redsun_conhost_via_tiering_engine.yml |  63 +++++++++++++
 ...edsun_tiering_engine_detected_as_eicar.yml |  50 ++++++++++
 13 files changed, 408 insertions(+)
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml
 create mode 100644 rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml
 create mode 100644 rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml
 create mode 100644 rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml
 create mode 100644 rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..4431367fda4a63b21418b50d3e31a28d62227247
GIT binary patch
literal 69632
zcmeI$TWl0n7zglgW_PFCZFk$ML{UU8MWjhDw3NG-?PY<`76hb_G%-zg+b*=bwcXM}
zHK~_+dq8|J#E=l>MNwno1BMV16M{yg!50!QAx7ehCdOC|Q9^Y6e`jXeQiB9|^gqpZ
z&z$+rWq#+IGlk~9?nJsTC9@CPs~E?(Edh~IYj(&jpT{p>dFYlqVFwhT00k&O0SZun
z0u-PC1t>rP3S3v9xv#siH?vp#f8Af}dt7_Me+nEb5-ES@^<&rV_&NbP&e{=KIWz2D
zM<fy!`8_1^V{qmbky_M0i2sJT(c|28+Ps7@^|%*f>hXsc|DIQ`bw^OwJ!?J><NQzW
zKS}PMHAcVJm$p6bm0J;;K%b{(^`kL2bKLKZ{X@acw4QELQGqorl&SUK&~nE_#kmVs
ziDgN#_1(H(-u6e*@&i8|*|zB7*XPHNm%VieccM}8GI<U~y+J)r6^Eo*_DM=IlEe86
z_&9sKi>FIMGAjMjhl@kF5VGo}7hyRWkhM~cpCRc&O$srcC|BV-jhaEp;w&rOh^)eS
z7WLIKf@>Lk*Gdh3R-jZPtMNNEHT=+3XSS8kpT}DH>z3W&$adL}o^xhIBzQcZ-;H_s
zD>^wAmaS&=eHbf=s6kxSq)qtAxcRl9v|+OSxF`~fiRJ9_@?qJWplpy~(-N0Tq$Cgz
zNGrk)coCO63ua(#k|tbRijSiyr`;_3HX@Iri%yWGar<dA1*MAx#j#@nae`KnEJB5!
z>30<t$WAXT4XF&S*|8!C2Jy_z$BCcf$#WrTL7=Wxp9vBTvSl7l=6QMAJQkE4W-a!b
z5L*YdWC2d}5zyoP`HpPC0_w6Tkq&2RPa!GCiT~v6`7$h<ad|)1Eeppa+%+^LbAn*s
zij!Bp9@iZ#!k}qm+KA8;CZJ1{M2z9lr$}>Z{aECx74#c{$C0vt6+yO4?<I*qbcXge
zbf{C-nYi+HEFuw|%LE$v8^W>Qilotm={)+(OnlZ3#3d5m6CRn2NE|)pFmcV69PZTZ
zH&!4ej&2IN?DZd)i4N`dr1x}<Mo~?de7+xJ_?yVd6NR{eQ8V#jGmyKy8+9I7P0_hT
zzAE%`whMtn`0-{DmawB+t1j)tnlOZWJzF0jRw&_sRcg{nH)B1XMT#~evJ;7vG4s|%
zD-|nf<@4(ipu3tb+`3HIK=mUPbaL*qVu!3^Oko7=^}*JU+gB1bYTbY?{7v|csxX#Q
zmt`0;a|uQ6Lxkh+$K5TCJcbUnckjN6<@P`@RwfIBavMUCdgg;n#S6>5i?Ga*u$18{
zQXD1yge79)(A?D5;H*?iWFx*$1QsHu2tVF2?(d5)7K@xlr%RjNH>Hh-L649Q-HJJ1
zy;)UCJL)o6<tz+_q|!^*ew=6I@zn$E6=%M0{HVpblz!#PH#ge8+B|nkq0fh#mAX^7
zoA>2Uj`sMk2Q4R7FW&w1lOH@Xd9*Em2D8>Etl@_!>RVTjre`$4{LQ<`blZt~-51y3
zTi?Q(XD?@i*sF9<y*d{kNB6^!6-I6kV+N_IJ<*P0Npzu?c<t|;jxNAb<{;)jwssUV
z(%4Eb)-1i-bJ47%_BU2LYD<Z>S?0C5XS)A?KL|;&qX7wP{6a5YSKpg`2q~p6o*vBK
zjv|dTuFi|o`Fn9Ovn39ixSS*)uXmh5OMMI2(U9A+-fL;LEcY%-@QC>PnY&)I1su1n
z-nnXP&U&K;rxM?e79dKK7#ESQRbJ|9O#<aly}ELIH_I-3^c7i)7gwcuQC7-wStScl
zuE%S)7O&2=DAl2#8q}|m`HK%*<!3LZKhyUL`urKsc_U&vre-jN@+fjRiF@xwxyj^r
z1`b&$=+@q0cDW?-eHb!TaM6A1zk7*e>lm0ytPZ@Lvd9k2=njbM9|Z%Z-|e`MF*Ex(
zX07+O3in-!QXO{F29#Eq`X-bb&|lnKU5Pu3;}3*7#IMB9a-28f%2TFy_sy!$Y7e~h
zx0X|8KN>U}x^AcbecYJmwf4W6hJe<;!+21D0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epy
zpa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+
zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O
z0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC
z1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo
z6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)U
zP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)U{LchZvPqJ1
zc*(D!iNAZ=CK}Q^51jmKORJ=%O9mw?L-=${PAa7xbs5BFWdyaA(t`7S;<m4rEi!=e
zpmZWOjhGBdeNt>qUU>KHn>`{nT<79<P{PvQvZ*QF^~7*`FtsDQH<cM`Pv?5uHZ+PO
S&yS0YS|ZlxUz|FKCjS73j<|gQ

literal 0
HcmV?d00001

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json
new file mode 100644
index 000000000..deecfd984
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.json
@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T05:24:53.092051Z"
+        }
+      },
+      "EventRecordID": 83239,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "EXE",
+      "UtcTime": "2026-04-17 05:24:53.079",
+      "ProcessGuid": "0197231E-C424-69E1-C922-000000000800",
+      "ProcessId": 15596,
+      "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{05A3207F-23AB-432D-BDAF-69A8306619CF}\\TieringEngineService.exe",
+      "CreationUtcTime": "2026-04-17 05:24:53.079",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
new file mode 100644
index 000000000..424b70e2b
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
@@ -0,0 +1,13 @@
+id: a86306af-137b-427f-9e39-680199937bd0
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
+      title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d.evtx
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..eeadeee7c7202eb3053c74a9fcd30e360b7c85bf
GIT binary patch
literal 69632
zcmeI$TWl0n7zglgW_PFCZFk#(4XA)yEDANfP^>^fOl`ZOT&xrUBSagvwF~Vo>4l5<
z(5OT)iuiz<prkP|f>GZzibNBUL=porAzla}5)-4wn4lqEcv%16%pAI1Z7L9XApdEG
znK|>#IcI*~IcG{+d%6;-o=(Z%Y`<U#M_U3SrB;5(WnVY_d4ADlSHcP?KmiI+fC3bt
z00k&O0SZun0u&fmptYx~xjVg4%>VAkIu2<~_@lsZMC5RA-{f&C9w$KCIW)BYz1*;=
zjz}ad@>@vchhXj<k$RNhjz2?O>~?INXLh1Z-KL^V-G2Au-}1|~Y%j{X^7?ZJuK)1=
zNOE0X8@+yA`s@M!d>LXBsPkZ6JsNW<+fC*VG?((Q|IBv<B2`t$DQr#NZ#h13N7b=Y
zR*7Xvv2}XEFZ)ePdOq{Vy(^}l`TE4rfwDJt<4rWGsZ5^4slK3Y2a7|}Dx0NK(lUVS
zr?5L4{F{eLLb6qQr3W|raU*0kNH@X;WRo;XEq?lCJxV$e(}D9E98)OilMJph(uK$x
zTxU>TD_d|cjbpvk;pbMI)yX{k+j*h+{!v%9mCc?&u1wxCD;;T<ZK!#`Z4m>!DVu!&
z{W2LnyFDyzZtI)TRuWNtxO*G+gc*!W_5@`)I@^nzBC(iQ&KiF_%qkDcT{7rCiCZO7
z5@-s@GK4+qN1W>@$icc>T5#`X?2ZmOt!CEAh}?%NIzX1f>!;i<C|xWljvWh#6SRtC
zItt84pIlfVtNgGOq|&%&$BHBvM2@H7!VK}`v5+i9pysN_4H6BqWeP5)_~W#7dr(%o
zx!CB2*xH~aaa`yW(CwXRj@*j`YFd;?o3pg0kW}Kr%$yC!!?Faow;^vCI40q)p&=;`
zg1rqFFZeYs*j0o^Q?6+<LOam`O;HjtE|1P49a9UpM@D7PJOmy`$^updqh(|*Nd%%f
z+AC0@c3FGk$=k7rM6@qE@Q_&$Ui-C3n%yw%M~~YR!@3r6iG)AHBWEMhgc=9XaUCrK
zcvG+5Sb>x{x+rMc8;+ETHtp4<?=;3kQ5`PXY%kg{i^%)$7UBiAx*Z>M8}ib-So?u&
ziuNV)RiQs-*CVhWKYlO55_WWH)zt2oABJ$ZZ)*Tzg%S=}rS5Rj#aOo|FhrXX*@1zS
zcKfYKD-|nfWwQ$rpsSiDZb3TiLiJ)OXy?4SVu!3^bYTmg*NLsWS631xYJDfFFpKbT
zO&ICav<#wW9-+t$h;Yn$+_lt^`%$6R?!Q;DObi5LWl|B82?)i|b9anXe6YN?2urzy
zr3`m5#Brv3SR!s59(T*@a8)WLvKYrBb_HU}{3mdG$gGP`7vsByN@uisE2f3Xpj$|r
zUWPu8UaYERHOkV+as~$dQtc1dUR<Z;p?RBDSAFtr^T$h_bE)Uge{-?V*ShmgDRh2#
zqf%E2Z}I-Vc0z|P@w(~x4Ig~5E^*}b_|BQ-XWm4wH3~W0hg1FP>elkO4luKLx46}I
zpj_9*`8euVSjX8jnIP6GZB*}Gi`~)nFl2=>wg=IJ&I@az9Ysns(X;&LuOErdZEPi`
z%O*T$N6{;dpW(+(8i_AJ>IWcfrnw!pz1V6$)*UKdPm1y;fmw*{Xh2HF?2otDk4&5-
z`h&ru@w)Kn`;U6tHmGZ_%@@FqhP)nC_|ZDHe47vktbW!Wao^JM;<U$FtBy@SE_h*p
z+tC6<>0m_)Ff6aZUgHl_Eyc%164)!TS7Y*xtdyo-`f04k2dmosKvv6anJaOeH{f$y
zk56VJ&gP)bI+V|sX*a%PRepLVbyUA6sQ+io@3qKiE0W!gUM)u(jVLh_upj4JF_M!|
z=*D@AJId3@e+KWV3%ow9Yg{`<MH=mNx~tb%>p^a9BI#j$?=)&kBj=s?b!63-2iHVV
zh?U=+!c};03+J)8e*9zc*?12<nzxSQ%^Oixk9TfzKfI##?8h_udygKU#pAlY9ct)%
z^=SU@J^!|zXyax*DaE-aLihajWD&Zi>&Yq{TSeECcpx6o?z&spv^bn<Y;e5ddOd!Q
zDf=)6wCR~#><VK(*X>Z#U!{`%jO>%2Dz~5htiSM{m)AXb^3-3uC;gZ8X6)K(A==@t
zZo1fymnSR_IeD6$m!~=YcpS+S!gKTVoTnxqRt)X==!)jawAgm`pLu$$QpEJ^D#??M
z#F6=wpQpKQo^t0?UY>UOc{=<`#fw)qPo~AO@??5;mE_6HC*PX~3Q&Lo6rcbFC_n)U
zP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZ
zKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt
z00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun
z0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP
z3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbF
zC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epy
Jpuqnr@Hf|EE_na|

literal 0
HcmV?d00001

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json
new file mode 100644
index 000000000..cfe098325
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.json
@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 17,
+      "Version": 1,
+      "Level": 4,
+      "Task": 17,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T05:24:53.088849Z"
+        }
+      },
+      "EventRecordID": 83237,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "CreatePipe",
+      "UtcTime": "2026-04-17 05:24:53.079",
+      "ProcessGuid": "0197231E-C424-69E1-C922-000000000800",
+      "ProcessId": 15596,
+      "PipeName": "\\REDSUN",
+      "Image": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
new file mode 100644
index 000000000..7876884ec
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
@@ -0,0 +1,13 @@
+id: 8e35c907-231e-46e5-bf0f-9e724ce93279
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
+      title: RedSun - Named Pipe Created
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b.evtx
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..aef8e4aa809e45da74f6e538fee63dd16c442c57
GIT binary patch
literal 69632
zcmeI0U2I%O701uL-d(SqtR1H{Z9cn6+q5aQW5??x&Ii%P_R^?Hn#Sg%C{kp)cH_jc
zgYA4_5D`!z@_^u>Ql$#1Lam?(Q2|0i6+HH_L8>AO6#~Hnf)}K=Ac%M{|NqR~{czS!
zqVT}O|E})dduPr$GxM8s&Yii#Qxm1hsc~C+#G&9SuCX<lt%;V3-1Bqs=6^nM&qicG
z1VlgtL_h>YKm<fU1VlgtL_h>Y;I;&YrzQqZPoK49cfZ{ADlOroz{?Mqz4zT8;{V<b
zw)4)LgMY5IvMFPBC~Njn+U&2X+8VPnC_jMD5O;fAzm3i}(I$^gXp_gkg8Yv{Im=!_
z*~F6m9K`d#!$*?!OWHUWY*F`(aDNoCCD?pxi5<$UbZo%58y(w1+l}h(rtFC)FsGeX
zng1`ft@~;I`tPImD6-YjANKwI2T4o3fBbK+oY?xO-`=?TM#uNRjge5Q*kNDCEeFWs
zt<`B8wu?4y(>9OiZ{W<F36;NWPupcXXH%%0Lq$63x6=@txAV5wcHlQ>&!c1<GGn;!
z#&r@Uvo?dL8JmD)H=buuzQZn|ZW`B})`MRGcRjWT|KpYB=jxu~XmRld<|>)DnbC}m
z*cDiwcP+xfi;IiTp<l_2ez1_W<F56KXsZmVS=8>rSxTJo>6cP=44plPO0%{$i!z@L
z{;<6>WuLSQP7_t_*4|WXvZE0DVvzXfSaS`m!#0Gv$8cuoax}C3{Z@MxCdPnl62qT#
zT_C!)lx5<!Cd;IvRkjrciKjo<(rlj&Vv`^>jk>sPm8DXMxy^V;T)cceZAT!;xtel9
zMxod?;$dU()8U1bjk>uw>qKHU7+D?<3;`ZL-kh;#FoB#FB4Tq9Ev4-dJS35G=GR$!
z8r4@YZ!_Rn26u|4tuqDe$MNu;U~%8KR-w^J$8->)<LCgVs0<m0hfzeI+P~0RH-m{1
z@MNr`DQbncRC7tGDOW@L1Prpv?1?8Ix3yX;`|=``l7#TR4_Dcs6JtN7Tu&0LCm~lV
zg$Qr`pw)`7IFF9gTjnuRZ?~=4+A~ZFoc8{=JB&?xOB~ZON;$gA;^H~9ktC5{{JaGN
zxa>N9!8PQk_bK)RvuW&0>w7K1XP<}Q9Dbn}S<7aaS~;~Z4rD?2bYPnRXlt=-Q?$mp
z6O%EIufatJAvp#|ns)u>q^+?i6)i6AhXAu0CvM+#)`2<)S77ISti<VPHM(#K`V4HI
z-c}hUWPJ!Gk|g|UcNWvhX}N%&d4y&UK_Zjn<B1~~`xFe)dKlMgyRRwL)?r&xwicpr
zJ$J%W@xt<>$Xcgmt;5z>J8HA;%v!6HgF3Vfu@|}elem7ReG6Z9b_(Ni$JHb+mKG13
z{mVbzKl1Xvi$95Guf2W)!Lny30*m525F9+x?8;G$p+0$a*=JBTjai=olQ~=ZoJTjt
z5$DXFKHXe<>79<|w?8`evky=G?vKBE^78+}<_;IHM98@E-pmZ+lm5-M+h0pwJG@_b
zw{ZM7xtoK11En|DxA>%wxrej3w>3vQ^i?`$lJtk1*)fzepB8cD+nfG*Z6<{QvQgG<
z!I@zmrH}YDTgJ>Ygz}Y~8t1^2j?y3OxCG#}+HcXSPkeDM^13^MZe5EcO*i!+%Sg&Q
zmx^<-*Xj#ek5>EH=H_RqR+4t&T$9&)IB4R<nv9TcJB`uNb;}m#;G`TCZIcccRDnfv
zo#al)roHU;AiJR|+foz7q{fhla~Ut+735t2d1B0~Nz~U<ZeBr$G0DkIVlrtb>veiV
zI~;WwL(au<y-xC$jB_n3v^D75W87YFIrmCsObAx;YS`ATI@PvTdA)`+QbIHyaq)N-
z)K;(1s}bk2^KSm~F3mAI<6O?`><a`)JP=q50(A34hu+4;4H=$CsgJrihXn)2MbD%k
zFc$?2>52um)b8aP`oIWSF=H~}Cv(FL4Z96}pkBVps>ACvj20iC$t$HcKG%A!JC2ql
zeaE@`yyk6Vpbz7}-^<dM$*H5tDTORR&Zi;O>7^P{dd9JT!OeF<>0@5LA*FixDy0X!
zPD4t!zMYen9`srbDK*lnwztk}Hl#F)MaKD>SzqsE8;-v!TeZEx%O4C>8C}8q?svJB
z{?w><wZ0waHm=ZWvbw3wubaGlL+bVN)t+wlIt?k*X4V3{;2|&j@i3}Q)ls!#G_&||
z*;gCKd9N`LG^iOkbku1q7sXrduy_6F-PRS_I*y)kJHozAVP3iF%2)CL-yU)9VXt2d
zeWgc*zII|QS;mhmr|MfhUs+*t4(4Fbza<{=b`A$S%wfUKx;wN(FJL~KMz)S~k9vE%
zgFX6Su(!soc)3Gj->Peld}S#Y=eBw6+s^MUwDg#leKxc-SZ!&Od+*e)AM>t%d}B}H
zH;JBdZRIoN($&J_-tICn%29HxjESY1+o72<?4_{*jj+p#@Lq|q9gR@pPcAkKII*@c
zylLDb74J`b7bo7=PL6dv(GM%(#0<Ie8@RF@(e19txbBJ^@2;#vesr?Dz8dZmd;9SW
zzOKHE>oJ_St|M<<d(v~bi}xFvS@-rUU`y4DQFde7y$d7k!`bcrdr`h%yKMlz+mCZ6
z#!$ivcQ@n;u+)YB5~PQ4H-P&dL{=Bdcj2kmN%TW!5alJ5eA#X5*+v&i3i$7ZrBQdk
z*U9h2J^R7Uf1iEM)fXV&2dNqSrtnF@ueSSOYX@384C_Vs;web*Z9I>=5=O^J>vx{x
zS1jYOQK(o+K2XesPZV64to&hO0&9Ev+O(ZTy9X=x{Dg1-ws)h){AjTa68_7<fl6z4
z)8}m%L3K6ft&@_cu+4coJ%1MO2*xSbo(IrwuOrrvo^U71m46r7_xtU9SX0-paR)K>
zla*+l!~JDYU^Jh`{SfXiVJuU)j-izGv|I+$3n=f#J$J3k?E`DA@f!!{V=v}r<yMOr
z)p@k-w-YB3aWjZ(j^?DBUv5O%j}eS+0k(F*1L&JYH~ud8&Jbq3AGHOPu$1071S<5<
z5}pgVqgU^-L(tv>-QDm@TKC^!eC8X*2$RgfmGZ3H{xicQ<L<5LTOMCE{9f4Sl3vGX
z4t-7bd}YiIzc?^U@tXr@f*$O@198vhW0IMu2VD2yzsLEM_bRUNnWH%8B;r2;<Q*IC
z;b&km@A^=!qaRTxp`W+U<C!%5j)hs2TJ#}b=f|E8^<`Je)jE5}7HE&}*!o^{ql6jb
z7-T5h=xs$h$@`0~k--<x&ZN65Lw6LVMR?<=J%yd@3B>iNJ%@Q2!T$*EhmqZi$kBTt
z*Na&w;5UFPXLKj7J@%xtFmfA-W3arEOcCuQZLpoC8Ik#kE!EpuP7>+aAN(GxLj*)X
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
k1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt{+|i_7aD$AX8-^I

literal 0
HcmV?d00001

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json
new file mode 100644
index 000000000..e3eb79c73
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.json
@@ -0,0 +1,89 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Windows Defender",
+          "Guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"
+        }
+      },
+      "EventID": 1119,
+      "Version": 0,
+      "Level": 2,
+      "Task": 0,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-17T04:14:33.653414Z"
+        }
+      },
+      "EventRecordID": 542,
+      "Correlation": {
+        "#attributes": {
+          "ActivityID": "6B3DFF46-F4E6-4CDA-983B-76B101728AA5"
+        }
+      },
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 7380,
+          "ThreadID": 12856
+        }
+      },
+      "Channel": "Microsoft-Windows-Windows Defender/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "Product Name": "Microsoft Defender Antivirus",
+      "Product Version": "4.18.26030.3011",
+      "Detection ID": "{79C5C2FF-764A-4F0D-940E-A6914A52C0F9}",
+      "Detection Time": "2026-04-17T04:14:08.003Z",
+      "Unused": "",
+      "Unused2": "",
+      "Threat ID": "17463",
+      "Threat Name": "Tool:Win32/EICAR_Test_File",
+      "Severity ID": "5",
+      "Severity Name": "Severe",
+      "Category ID": "34",
+      "Category Name": "Tool",
+      "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Tool:Win32/EICAR_Test_File&threatid=17463&enterprise=0",
+      "Status Code": "103",
+      "Status Description": "",
+      "State": "5",
+      "Source ID": "3",
+      "Source Name": "Real-Time Protection",
+      "Process Name": "C:\\Users\\xodih\\Downloads\\RedSun.exe",
+      "Detection User": "swachchhanda\\xodih",
+      "Unused3": "",
+      "Path": "file:_C:\\Users\\xodih\\AppData\\Local\\Temp\\RS-{C6E9CA10-8D55-41A1-AD3D-F14D118B68C7}\\TieringEngineService.exe",
+      "Origin ID": "1",
+      "Origin Name": "Local machine",
+      "Execution ID": "1",
+      "Execution Name": "Suspended",
+      "Type ID": "0",
+      "Type Name": "Concrete",
+      "Pre Execution Status": "3",
+      "Action ID": "2",
+      "Action Name": "Quarantine",
+      "Unused4": "",
+      "Error Code": "0x80070020",
+      "Error Description": "The process cannot access the file because it is being used by another process.",
+      "Unused5": "",
+      "Post Clean Status": "3",
+      "Additional Actions ID": "0",
+      "Additional Actions String": "No additional actions required",
+      "Remediation User": "NT AUTHORITY\\SYSTEM",
+      "Unused6": "",
+      "Security intelligence Version": "AV: 1.449.142.0, AS: 1.449.142.0, NIS: 1.449.142.0",
+      "Engine Version": "AM: 1.1.26030.3008, NIS: 1.1.26030.3008"
+    }
+  }
+}
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml
new file mode 100644
index 000000000..7e329ae38
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml
@@ -0,0 +1,13 @@
+id: da6fdf7c-8cea-4daf-be02-38c22f8cf494
+description: N/A
+date: 2026-04-17
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
+      title: RedSun - TieringEngineService.exe Detected as EICAR Test File
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c.evtx
diff --git a/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml
new file mode 100644
index 000000000..3e61111bd
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml
@@ -0,0 +1,34 @@
+title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
+id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
+status: experimental
+description: |
+    Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
+    of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
+    RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
+
+    The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
+    making the combination of this path prefix and the TieringEngineService.exe filename a highly
+    specific indicator of RedSun activity.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.defense-evasion
+    - attack.t1036.005
+    - detection.emerging-threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains|all:
+            - '\Temp'
+            - '\RS-{'
+        TargetFilename|endswith: '\TieringEngineService.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
diff --git a/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml
new file mode 100644
index 000000000..a2e8e44db
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml
@@ -0,0 +1,31 @@
+title: RedSun - Named Pipe Created
+id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
+status: experimental
+description: |
+    Detects the creation of a named pipe with the hardcoded name "REDSUN".
+    The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
+    RedSun creates the pipe as \\??\pipe\REDSUN.
+    The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
+    Presence of this pipe name indicates active or recent RedSun execution.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.privilege-escalation
+    - attack.t1055
+    - attack.t1562.001
+    - attack.defense-evasion
+    - detection.emerging-threats
+logsource:
+    category: pipe_created
+    product: windows
+detection:
+    selection:
+        PipeName: '\REDSUN'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
diff --git a/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml
new file mode 100644
index 000000000..0ccae7c08
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml
@@ -0,0 +1,63 @@
+title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
+id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
+status: experimental
+description: |
+    Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
+    Observed process chain
+      services.exe
+        → TieringEngineService.exe
+          → conhost.exe             (SYSTEM, CommandLine: bare path, no arguments)
+            → cmd.exe / shell       (SYSTEM, TerminalSessionId = attacker's session)
+
+    Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
+      After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
+      / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
+      This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
+      calls CreateProcessAsUser to spawn conhost.exe with no arguments.
+
+    Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
+      The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
+      On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
+      The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun
+author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
+date: 2026-04-17
+tags:
+    - attack.privilege-escalation
+    - attack.t1134.002
+    - attack.defense-evasion
+    - attack.t1036.005
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
+detection:
+    # Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
+    selection_tiering_to_conhost:
+        ParentImage|endswith: '\TieringEngineService.exe'
+        Image|endswith: '\conhost.exe'
+        CommandLine|endswith: 'conhost.exe"'
+        User|contains:
+            - 'AUTHORI'
+            - 'AUTORI'
+            - '$'
+    # Stage 2: full three-level chain for EDR sources that expose GrandParentImage
+    # GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
+    selection_shell_full_chain:
+        GrandParentImage|endswith: '\TieringEngineService.exe'
+        ParentImage|endswith: '\conhost.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell_ise.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        User|contains:
+            - 'AUTHORI'
+            - 'AUTORI'
+            - '$'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml
new file mode 100644
index 000000000..e0e43bff1
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml
@@ -0,0 +1,50 @@
+title: RedSun - TieringEngineService.exe Detected as EICAR Test File
+id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
+status: experimental
+description: |
+    Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
+    dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
+    This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
+    AV bypass/privilege escalation tool.
+
+    RedSun works as follows:
+      1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
+      2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
+         a Defender scan and remediation attempt
+      3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
+      4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
+      5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
+         \\?\C:\Windows\System32 to the attacker-controlled temp path
+      6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L605
+    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-17
+tags:
+    - attack.defense-evasion
+    - attack.t1036.005
+    - attack.t1562.001
+    - attack.privilege-escalation
+    - attack.t1055
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: windefend
+detection:
+    # EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software
+    # Path field from event: file:_C:\Users\<user>\AppData\Local\Temp\<n>\RS-{GUID}\TieringEngineService.exe
+    # Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation
+    selection_eid:
+        EventID: 1119
+        SourceName: 'Real-Time Protection'
+    selection_susp_path:
+        Path|endswith: '\TieringEngineService.exe'
+        ThreatName|endswith: 'EICAR_Test_File'
+    selection_susp_process:
+        ProcessName|endswith: '\RedSun.exe'
+    condition: selection_eid and 1 of selection_susp_*
+falsepositives:
+    - Unlikely
+level: critical
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml