{"id":231730,"date":"2026-04-24T13:27:04","date_gmt":"2026-04-24T13:27:04","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=231730"},"modified":"2026-04-24T14:30:52","modified_gmt":"2026-04-24T14:30:52","slug":"redsun-practical-detection-artifacts","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/redsun-practical-detection-artifacts\/","title":{"rendered":"REDSUN – Practical Detection Artifacts Under Real-World Constraints"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This article documents practical detection opportunities for exploitation associated with REDSUN vulnerability<\/strong><\/a>, using public exploit research only as contextual background for the vulnerability.<\/p>

This write-up deliberately avoids overfitting on the public proof-of-concept launcher name. Detection logic is centered on behaviors and native artifacts that are more likely to survive renaming, repackaging, or partial code reuse by real-world attackers. The goal is not to detect a specific proof-of-concept filename, but to generalize forensic guidance for identifying exploitation of the vulnerability itself<\/strong>.<\/p>

The scope is therefore evidence-driven: the goal is to show what can still be detected on a Windows host using native artifacts only, even when endpoint telemetry is incomplete. In the investigated case, Sysmon was not deployed<\/strong>. Despite that limitation, the exploitation sequence could still be identified and reconstructed through Microsoft Defender Operational logs, Defender MPLogs, filesystem timeline artifacts, Prefetch, and ShimCache<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

Executive Summary<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

REDSUN exploit is a local privilege escalation vulnerability affecting Microsoft Defender remediation behavior. Public exploit code shows a workflow in which a decoy binary is staged in a temporary directory, populated with an EICAR trigger, and intentionally driven into Defender scanning and remediation logic. The exploit then abuses Cloud Files sync root registration<\/strong>, placeholder creation<\/strong>, rename-and-reparse redirection<\/strong>, and the Storage Tiers Management<\/strong> COM activation path to obtain execution from C:\\Windows\\System32<\/code> as NT AUTHORITY\\SYSTEM<\/strong>.<\/p>

This article does not<\/strong> treat the original public launcher as the primary detection anchor. Instead, it focuses on the forensic artifacts left by the exploitation workflow itself, so that analysts can still investigate cases where the exploit logic has been integrated into another tool, renamed, obfuscated, or otherwise adapted.<\/p>

Review of the public exploit code aligns well with the observed artifacts from the investigated host. Some of the visible indicators below come directly from hard-coded strings in the public implementation and could be changed by an attacker in a real intrusion. For that reason, they should be treated as useful hunting clues rather than invariant signatures:<\/p>

  • a GUID-named %TEMP%<\/code> staging directory prefixed with RS-<\/code> in the public implementation<\/li>
  • a staged binary named TieringEngineService.exe<\/code> in the public implementation<\/li>
  • Cloud Files-related placeholder metadata associated with the staging directory<\/li>
  • a rename sequence involving .TMP<\/code> and .TEMP2<\/code> in the public implementation<\/li>
  • a mount-point reparse redirect to C:\\Windows\\System32<\/code><\/li>
  • subsequent execution from C:\\Windows\\System32<\/code><\/li>
  • follow-on execution under SYSTEM<\/li><\/ul>

    Even without Sysmon, this activity remains detectable through a combination of Defender Event ID 1116<\/strong>, Defender Event ID 1119<\/strong>, Service Control Manager 7000\/7009<\/strong>, DistributedCOM 10005<\/strong>, filesystem timeline artifacts<\/strong>, Prefetch<\/strong>, ShimCache<\/strong>, and Defender MPLogs<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t

    Technical Context<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Analysis of the public exploit code shows the following high-level sequence:<\/p>

    1. A working directory is created under %TEMP%<\/code> using the pattern RS-{GUID}<\/code> in the public implementation; both the prefix and naming convention are hard-coded and could be changed by an attacker.<\/li>
    2. A file named TieringEngineService.exe<\/code> is created in that directory in the public implementation; the exact filename is also attacker-controlled if the exploit logic is embedded or modified.<\/li>
    3. The file is populated with the reversed EICAR string, then reversed in memory before being written, so the on-disk content becomes the standard EICAR trigger; the trigger mechanism is central to the exploit, even if surrounding filenames are changed.<\/li>
    4. The staged file is opened in a way that triggers Microsoft Defender real-time scanning.<\/li>
    5. A helper thread monitors \\Device<\/code> for the appearance of a new HarddiskVolumeShadowCopy*<\/code> object, then opens the corresponding file in the shadow copy path and requests a batch oplock<\/strong> on it.<\/li>
    6. The exploit deletes the original staged file, registers the temporary directory as a Cloud Files sync root<\/strong>, and creates a placeholder file<\/strong> for the staged payload name; the Cloud Files behavior is the durable signal, whereas the exact path and filename may vary.<\/li>
    7. The original working directory is renamed to RS-{GUID}.TMP<\/code>, recreated under its original name, then the placeholder-backed file path is later renamed to RS-{GUID}.TEMP2<\/code> in the public implementation; these suffixes are implementation-specific and could be changed by an attacker.<\/li>
    8. The recreated working directory is turned into an NTFS mount point<\/strong> targeting C:\\Windows\\System32<\/code>.<\/li>
    9. The exploit repeatedly attempts to create a payload file under C:\\Windows\\System32<\/code>, then copies its own image to that path; the final filename used by the public exploit is mutable, but privileged-path placement is the key behavior.<\/li>
    10. It finally activates the Storage Tiers Management<\/strong> COM object using CLSID {50D185B9-FFF3-4656-92C7-E4018DA4361D}<\/code><\/strong>, which results in execution under SYSTEM.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
      \n\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t
      \n

      Note<\/p>\n

      Across artifact sources, the staging directory may appear under multiple closely related forms, including RS-{GUID}<\/code>, RS-{GUID}.TMP<\/code>, and later RS-{GUID}.TEMP2<\/code> in the public implementation. This is expected and reflects different moments in the staging, rename, placeholder, and cleanup sequence. In a real intrusion, these exact string forms may differ if the exploit is modified.<\/p>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

      \n\t\t\t\t
      \n\t\t\t\t\t

      Detection Artifacts<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      Defender Operational Log \u2014 Event ID 1116<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      The earliest and most actionable signal came from the Microsoft-Windows-Windows Defender\/Operational<\/code> log.<\/p>

      Representative event:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      Several fields are operationally significant:<\/p>

      1. Threat Name: Virus:DOS\/EICAR_Test_File<\/code> is the first pivot and should be considered suspicious when tied to an executable under a temporary staging directory.<\/li>
      2. Path<\/code> exposes the staged file path and the temporary directory naming pattern present in the investigated case.<\/li>
      3. Execution Name: Suspended<\/code> is consistent with interception during the Defender handling window.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        Note<\/p>\n

        The exact filename and directory strings visible in Defender logs may be changed by an attacker in a modified implementation. The stronger detection concept is the combination of an EICAR-triggering executable in a suspicious temporary path and closely related remediation anomalies.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

        \n\t\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        Defender Operational Log \u2014 Event ID 1119<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        A second strong indicator comes from remediation failure telemetry.<\/p>

        In the observed case, Defender attempted to remediate the detected EICAR file but failed because the file was locked by another process.<\/p>

        Representative values include:<\/p>

        • Threat: Virus:DOS\/EICAR_Test_File<\/code><\/li>
        • File: C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}\\TieringEngineService.exe<\/code><\/li>
        • Error description: The process cannot access the file because it is being used by another process<\/code><\/li>
        • Remediation user: NT AUTHORITY\\SYSTEM<\/code><\/li><\/ul>

          This matches the public exploit logic closely. The code explicitly waits for the relevant file to appear through the shadow-copy path and requests a batch oplock<\/strong> against it, which makes remediation interference a core behavioral feature rather than an accidental side effect.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

          \n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          Important<\/p>\n

          The combination of:<\/p>\n\n

            \n \t
          • Defender Event ID 1116<\/code> for Virus:DOS\/EICAR_Test_File<\/code><\/li>\n \t
          • followed by Defender Event ID 1119<\/code> with a file-in-use remediation error<\/li>\n<\/ul>\n

            is a high-value detection pattern for this vulnerability.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

            \n\t\t\t\t
            \n\t\t\t\t\t

            Service and COM-Related Events<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            System event logs can provide correlation points for the privileged execution phase.<\/p>

            Observed events include:<\/p>

            • Service Control Manager \u2014 Event ID 7009<\/strong>
              Timeout while waiting 30000 milliseconds for TieringEngineService<\/code><\/li>
            • Service Control Manager \u2014 Event ID 7000<\/strong>
              Service start failure for TieringEngineService<\/code><\/li>
            • DistributedCOM \u2014 Event ID 10005<\/strong>
              COM activation failure involving CLSID {50D185B9-FFF3-4656-92C7-E4018DA4361D}<\/code><\/strong><\/li><\/ul>

              These events are not specific enough to stand on their own, but they become highly useful when they occur close to Defender detections and filesystem artifacts tied to the staged payload and the privileged execution phase.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

              \n\t\t\t\t
              \n\t\t\t\t\t

              Filesystem Forensics<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t

              Filesystem Timeline Artifacts<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t\t\t\t\t

              The most useful filesystem artifacts are not just the temporary directory name, but the sequence of file creation, placeholder, rename, and redirection operations around it.<\/p>

              Observed entries show:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

              \n\t\t\t\t
              \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t\t\t\t\t

              This combined view is important for three reasons:<\/p>

              • The presence of the staged binary inside the working directory shows the initial decoy creation step.<\/li>
              • Tea .SyncRootIdentity<\/code> artifact is especially valuable because it directly aligns with the Cloud Files sync-root registration behavior present in the exploit source code.<\/li><\/ul>

                One subtle but important point is that the exploit code first creates the working directory as RS-{GUID}<\/code>, later renames the directory itself to RS-{GUID}.TMP<\/code>, recreates the original directory name, then later renames the placeholder-backed file path to .TEMP2<\/code>. For that reason, different forensic sources may surface slightly different path variants without contradicting one another. In a modified implementation, the same sequence may exist under different strings.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                \n\t\t\t\t
                \n\t\t\t\t\t

                MFT Timeline<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                \n\t\t\t\t
                \n\t\t\t\t\t\t\t\t\t

                The MFT timeline also showed access and execution-adjacent artifacts:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                \n\t\t\t\t
                \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                \n\t\t\t\t
                \n\t\t\t\t\t\t\t\t\t

                The first suggests activity consistent with Cloud Files-related processing shortly before execution evidence appears, but should be treated as a correlation artifact rather than a standalone proof point. The second confirms Prefetch creation for the staged payload name used in the investigated case.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                \n\t\t\t\t
                \n\t\t\t\t\t

                Prefetch<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                \n\t\t\t\t
                \n\t\t\t\t\t\t\t\t\t

                Prefetch provides strong native proof of execution.<\/p>

                Observed execution artifacts included:<\/p>

                • C:\\Windows\\System32\\TieringEngineService.exe<\/code><\/li>
                • C:\\Windows\\System32\\c[m]d.exe<\/code><\/li>
                • C:\\Windows\\System32\\whoami.exe<\/code><\/li><\/ul>

                  This sequence is important because it supports the expected post-exploitation flow: privileged payload execution followed by shell launch and privilege verification. In a real intrusion, the child processes may differ depending on operator objectives.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                  \n\t\t\t\t
                  \n\t\t\t\t\t

                  Additional Native Artifacts<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                  \n\t\t\t\t
                  \n\t\t\t\t\t

                  Defender MPLogs, MPDetection and Detections.log<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                  \n\t\t\t\t
                  \n\t\t\t\t\t\t\t\t\t

                  Defender MPLogs and MPDetection add important depth to the analysis.<\/p>

                  Observed elements include:<\/p>

                  • repeated detections of the staged payload under C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}\\<\/code><\/li>
                  • quarantine attempts<\/li>
                  • explicit remove failures<\/li>
                  • references to \\Device\\HarddiskVolume*\\Windows\\System32\\TieringEngineService.exe<\/code><\/li><\/ul>

                    Representative examples:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                    \n\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                    \n\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t

                    Important<\/p>\n

                    If available, C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\<\/code> should be preserved early, as it may contains evidences related to TieringEngineService.exe. MPLogs can retain details that are not obvious from Event Viewer alone.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                    \n\t\t\t\t
                    \n\t\t\t\t\t

                    Correlated Forensic Timeline From the Investigated Host<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                    \n\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t

                    The following timeline consolidates the most relevant host-level events observed on the investigated system.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                    \n\t\t\t\t
                    \n\t\t\t\t\t\t\t
                    \n\n\n\t\t\t\n\n\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n
                    Timestamp (UTC)<\/th>Source<\/th>Event<\/th><\/tr>\n<\/thead>\n
                    2026-04-18 12:24:20<\/td>\n MFT<\/td>\n Creation of\n C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}.TMP:${GUID}.SyncRootIdentity\n <\/td>\n <\/tr>\n
                    2026-04-18 12:24:20<\/td>\n MFT<\/td>\n Creation of C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}.TMP\\TIERIN~1.EXE<\/td>\n <\/tr>\n
                    2026-04-18 12:24:20<\/td>\n MFT<\/td>\n Creation of\n C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}.TMP\\TieringEngineService.exe\n <\/td>\n <\/tr>\n
                    2026-04-18 12:24:20<\/td>\n Defender Event ID 1116<\/td>\n Detection of Virus:DOS\/EICAR_Test_File on\n C:\\Users\\<user>\\AppData\\Local\\Temp\\RS-{GUID}\\TieringEngineService.exe\n <\/td>\n <\/tr>\n
                    2026-04-18 12:25:11<\/td>\n Prefetch<\/td>\n Execution of VSSVC.EXE and related service-host activity<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n Defender Event ID 1119<\/td>\n Remediation failure because the file TieringEngineService.exe is in use by another\n process<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n Service Control Manager \u2014 7009<\/td>\n Timeout while waiting for TieringEngineService<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n Service Control Manager \u2014 7000<\/td>\n Service start failure for TieringEngineService<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n DistributedCOM \u2014 10005<\/td>\n COM-related failure involving CLSID {50D185B9-FFF3-4656-92C7-E4018DA4361D}<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n Prefetch<\/td>\n Execution of C:\\Windows\\System32\\TieringEngineService.exe<\/td>\n <\/tr>\n
                    2026-04-18 12:25:13<\/td>\n Prefetch<\/td>\n Execution of C:\\Windows\\System32\\c[m]d.exe<\/td>\n <\/tr>\n
                    2026-04-18 12:25:16<\/td>\n Prefetch<\/td>\n Execution of C:\\Windows\\System32\\whoami.exe<\/td>\n <\/tr>\n
                    2026-04-18 12:27:34<\/td>\n Defender Event ID 1116<\/td>\n On this host, Defender additionally detected Exploit:Win32\/DfndrPERedSun.BB on\n C:\\Windows\\System32\\TieringEngineService.exe\n <\/td>\n <\/tr>\n
                    2026-04-18 12:27:57<\/td>\n Defender Event ID 1117<\/td>\n Successful quarantine\/remediation action against Exploit:Win32\/DfndrPERedSun.BB<\/td>\n <\/tr>\n<\/tbody>\n<\/table>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                    \n\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t

                    This timeline supports a coherent exploitation narrative:<\/p>

                    1. A temporary GUID-named staging directory is created and populated with a decoy executable.<\/li>
                    2. Cloud Files-related registration artifact appears via .SyncRootIdentity<\/code>.<\/li>
                    3. Defender detects the EICAR-based decoy.<\/li>
                    4. Remediation fails because the file is being actively held during the exploitation window.<\/li>
                    5. Service and COM-related errors appear around the privileged execution phase.<\/li>
                    6. Execution pivots into a System32<\/code> payload path.<\/li>
                    7. Follow-on c[m]d.exe<\/code> and whoami.exe<\/code> execution strongly suggest successful SYSTEM-level post-exploitation.<\/li>
                    8. On the investigated host, Defender later generated additional detections under Exploit:Win32\/DfndrPERedSun.BB<\/code> and eventually quarantined the System32<\/code> payload.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                      \n\t\t\t\t
                      \n\t\t\t\t\t

                      Hardening Recommendations<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                      \n\t\t\t\t
                      \n\t\t\t\t\t\t\t\t\t
                      • Treat suspicious EICAR detections as potentially hostile when they are associated with executable staging and remediation anomalies.<\/li>
                      • Monitor for Defender remediation failures on active files.<\/li>
                      • Collect and retain Windows Defender related event logs, MPLogs and MPDetection logs.<\/li>
                      • Monitor and alert for TieringEngineService outside of expected behavior, especially when correlated with recent Defender remediation anomalies and file creation in %TEMP% directory.<\/li>
                      • If Sysmon is available, add process creation, file create, and file delete coverage.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                        \n\t\t\t\t
                        \n\t\t\t\t\t

                        Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                        \n\t\t\t\t
                        \n\t\t\t\t\t\t\t\t\t

                        This article intentionally avoids over-reliance on the original public proof-of-concept binary name and instead focuses on forensic evidence more likely to persist in real intrusions where the exploit code is embedded or modified.<\/p>

                        The strongest practical detection opportunities are:<\/p>

                        • Defender 1116<\/code> on Virus:DOS\/EICAR_Test_File<\/code><\/li>
                        • Defender 1119<\/code> remediation failure with file-lock symptoms<\/li>
                        • Suspicious temporary staging and rename behavior<\/li>
                        • Cloud Files sync-root artifact such as .SyncRootIdentity<\/code><\/li>
                        • Placement or execution from C:\\Windows\\System32<\/code><\/li>
                        • DCOM correlation around the Storage Tiers activation path<\/li>
                        • On some systems, later Defender detection under Exploit:Win32\/DfndrPERedSun.BB<\/code><\/li>
                        • Defender MPLogs showing failed remediation and privileged-path references<\/li><\/ul>

                          Taken together, these artifacts allow defenders to move from a generic Defender detection to a much stronger conclusion.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

                          \n\t\t\t\t\t
                          \n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
                          \n\t\t\t\t\t
                          \n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
                          \n\t\t\t\t\t
                          \n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
                          \n\t\t\t\t\t
                          \n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
                          \n\t\t\t\t\t
                          \n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

                          This article documents practical detection opportunities for exploitation associated with REDSUN vulnerability, using public exploit research only as contextual background for the vulnerability.
                          \nThis write-up deliberately avoids over fitting on the public proof-of-concept launcher name. Detection logic is centered on behaviors and native artifacts that are more likely to survive renaming, repackaging, or partial code reuse by real-world attackers. The goal is not to detect a specific proof-of-concept filename, but to generalize forensic guidance for identifying exploitation of the vulnerability itself.
                          \nThe scope is therefore evidence-driven: the goal is to show what can still be detected on a Windows host using native artifacts only, even when endpoint telemetry is incomplete. In the investigated case, Sysmon was not deployed. Despite that limitation, the exploitation sequence could still be identified and reconstructed through Microsoft Defender Operational logs, Defender MPLogs, filesystem timeline artifacts, Prefetch, and ShimCache.<\/p>","protected":false},"author":55,"featured_media":231752,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[176],"class_list":["post-231730","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cert","tag-incident-response"],"yoast_head":"\nRedsun : opportunit\u00e9s de d\u00e9tection pratiques - INTRINSEC<\/title>\n<meta name=\"description\" content=\"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/redsun-practical-detection-artifacts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"REDSUN - Practical Detection Artifacts Under Real-World Constraints\" \/>\n<meta property=\"og:description\" content=\"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/redsun-practical-detection-artifacts\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-24T13:27:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-24T14:30:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1027\" \/>\n\t<meta property=\"og:image:height\" content=\"370\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"CERT Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"CERT Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/\"},\"author\":{\"name\":\"CERT Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/1ec04601123170d245331ea69b78356e\"},\"headline\":\"REDSUN – Practical Detection Artifacts Under Real-World Constraints\",\"datePublished\":\"2026-04-24T13:27:04+00:00\",\"dateModified\":\"2026-04-24T14:30:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/\"},\"wordCount\":1843,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/redsun-e1776782736441.png\",\"keywords\":[\"Incident Response\"],\"articleSection\":[\"CERT\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/\",\"name\":\"Redsun : opportunit\u00e9s de d\u00e9tection pratiques - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/redsun-e1776782736441.png\",\"datePublished\":\"2026-04-24T13:27:04+00:00\",\"dateModified\":\"2026-04-24T14:30:52+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/1ec04601123170d245331ea69b78356e\"},\"description\":\"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/redsun-e1776782736441.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/redsun-e1776782736441.png\",\"width\":1027,\"height\":370},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/redsun-practical-detection-artifacts\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"REDSUN – Practical Detection Artifacts Under Real-World Constraints\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/1ec04601123170d245331ea69b78356e\",\"name\":\"CERT Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g\",\"caption\":\"CERT Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\\\/category\\\/cert\\\/\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/certintrinsec\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Redsun : opportunit\u00e9s de d\u00e9tection pratiques - INTRINSEC","description":"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/redsun-practical-detection-artifacts\/","og_locale":"en_US","og_type":"article","og_title":"REDSUN - Practical Detection Artifacts Under Real-World Constraints","og_description":"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.","og_url":"https:\/\/www.intrinsec.com\/en\/redsun-practical-detection-artifacts\/","og_site_name":"INTRINSEC","article_published_time":"2026-04-24T13:27:04+00:00","article_modified_time":"2026-04-24T14:30:52+00:00","og_image":[{"width":1027,"height":370,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png","type":"image\/png"}],"author":"CERT Intrinsec","twitter_card":"summary_large_image","twitter_misc":{"Written by":"CERT Intrinsec","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/"},"author":{"name":"CERT Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/1ec04601123170d245331ea69b78356e"},"headline":"REDSUN – Practical Detection Artifacts Under Real-World Constraints","datePublished":"2026-04-24T13:27:04+00:00","dateModified":"2026-04-24T14:30:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/"},"wordCount":1843,"image":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png","keywords":["Incident Response"],"articleSection":["CERT"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/","url":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/","name":"Redsun : opportunit\u00e9s de d\u00e9tection pratiques - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png","datePublished":"2026-04-24T13:27:04+00:00","dateModified":"2026-04-24T14:30:52+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/1ec04601123170d245331ea69b78356e"},"description":"D\u00e9couvrez les opportunit\u00e9s de d\u00e9tection pratiques li\u00e9es \u00e0 la vuln\u00e9rabilit\u00e9 REDSUN et apprenez \u00e0 identifier les comportements suspects.","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/04\/redsun-e1776782736441.png","width":1027,"height":370},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/redsun-practical-detection-artifacts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"REDSUN – Practical Detection Artifacts Under Real-World Constraints"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/1ec04601123170d245331ea69b78356e","name":"Intrinsic CERT","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/48491cc0395b3eed17e56104e0ad5a174d5133baeb103718533f3bc781e03778?s=96&d=retro&r=g","caption":"CERT Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com\/category\/cert\/"],"url":"https:\/\/www.intrinsec.com\/en\/author\/certintrinsec\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=231730"}],"version-history":[{"count":25,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231730\/revisions"}],"predecessor-version":[{"id":231865,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231730\/revisions\/231865"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media\/231752"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=231730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=231730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=231730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}