detection.wiki

Detection rules › Sigma

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Status
experimental
Severity
critical
Log source
product windows, category file_event
Author
Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
Source
github.com/SigmaHQ/sigma

Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain. The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.

MITRE ATT&CK coverage

TacticTechniques
StealthT1036.005 Masquerading: Match Legitimate Resource Name or Location

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
status: experimental
description: |
    Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
    of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
    RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.

    The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
    making the combination of this path prefix and the TieringEngineService.exe filename a highly
    specific indicator of RedSun activity.
references:
    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
    - attack.stealth
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\Temp'
            - '\RS-{'
        TargetFilename|endswith: '\TieringEngineService.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    TargetFilename|contains|all:
        - '\Temp'
        - '\RS-{'
    TargetFilename|endswith: '\TieringEngineService.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • \TieringEngineService.exe
TargetFilenamematch
  • \RS-{
  • \Temp