RedSun - TieringEngineService.exe Detected as EICAR Test File

Swachchhanda Shrawan Poudel (Nextron Systems)

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

2026-04-17 00:00:00

None

a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c

attack.stealth attack.defense-impairment attack.t1036.005 attack.t1685 attack.privilege-escalation attack.t1055 detection.emerging-threats

Community Rule

Nasreddine Bencherchali

Merge PR #5966 from @nasbench - Update mitre tags to use attack v19

2026-04-29

Swachchhanda Shrawan Poudel

Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators

2026-04-28