RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Rule Info

Name
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Author
Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
Description
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain. The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.
Reference
https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
Date
2026-04-17 00:00:00
Modified
None
Id
f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
Tags
attack.stealth attack.t1036.005 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Swachchhanda Shrawan Poudel
Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators
2026-04-28
fcb2aead3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022