RedSun - Conhost.exe Spawned by TieringEngineService.exe

Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost

Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session) Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments. Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

2026-04-17 00:00:00

None

2ad78473-6978-40f5-b8f1-89c7e1c27a1a

attack.privilege-escalation attack.stealth attack.t1134.002 attack.t1036.005 detection.emerging-threats

Community Rule

Nasreddine Bencherchali

Merge PR #5966 from @nasbench - Update mitre tags to use attack v19

2026-04-29

Swachchhanda Shrawan Poudel

Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators

2026-04-28