feat: add RedSun Windows Defender 0-day (CVE-2026-33825) detection rule

LasCC · LasCC · commit 2e3f903afa1e · 2026-04-17T19:43:37.000-04:00
Static analysis of Nightmare-Eclipse/RedSun.cpp PoC identified these IOCs:
- working dir %TEMP%\RS-{GUID} (hardcoded prefix + CoCreateGuid)
- named pipe \pipe\REDSUN (CreateNamedPipe + GetNamedPipeServerSessionId)
- payload filename TieringEngineService.exe impersonating the real MS svc
- reparse mount point to \??\C:\Windows\System32 from user-writable dir
- Cloud Files provider "SERIOUSLYMSFT" (CfRegisterSyncRoot)
- Storage Tiers DCOM CLSID {50d185b9-fff3-4656-92c7-e4018da4361d}
- stdout markers "The red sun shall prevail", "The sun is shinning"

The rule fires on the exploit primitive (MsMpEng.exe writing
TieringEngineService.exe), pre-staging (TEMP drops), post-exploitation
(System32\TieringEngineService.exe spawning conhost.exe), and on any
indicator metadata surfacing the PoC-specific strings. Servicing paths
(WinSxS, SoftwareDistribution, DriverStore, Defender quarantine/platform)
excluded to avoid FP on legitimate MS updates.
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -199,6 +199,11 @@
         "name": "UAC Bypass Using Fodhelper",
         "query": "(event.type in ('Registry Value Set', 'Registry Value Create')) AND (registry.keyPath contains:anycase '\\\\ms-settings\\\\Shell\\\\Open\\\\command' AND registry.value contains:anycase 'DelegateExecute')\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.name, src.process.verified, registry.keyPath, registry.value\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, src.process.verified, registry.keyPath, registry.value, Count\n| sort -Count\n| limit 100000"
     },
+    {
+        "category": "Privilege Escalation",
+        "name": "RedSun Windows Defender 0-day (CVE-2026-33825)",
+        "query": "(tgt.file.path contains:anycase \"\\\\Temp\\\\RS-{\" OR src.process.cmdline contains:anycase \"\\\\Temp\\\\RS-{\" OR src.process.image.path contains:anycase \"\\\\Temp\\\\RS-{\" OR tgt.file.path contains:anycase \"\\\\pipe\\\\REDSUN\" OR src.process.cmdline contains:anycase \"\\\\pipe\\\\REDSUN\" OR (src.process.name contains:anycase \"MsMpEng.exe\" AND tgt.file.path contains:anycase \"TieringEngineService.exe\") OR (tgt.file.path contains:anycase \"TieringEngineService.exe\" AND tgt.file.path contains:anycase (\"\\\\Temp\\\\\",\"\\\\AppData\\\\\",\"\\\\ProgramData\\\\\",\"\\\\Users\\\\Public\\\\\",\"\\\\Downloads\\\\\",\"\\\\Desktop\\\\\")) OR (src.process.parent.image.path contains:anycase \"\\\\TieringEngineService.exe\" AND src.process.name contains:anycase \"conhost.exe\") OR src.process.cmdline contains:anycase (\"SERIOUSLYMSFT\",\"The red sun shall prevail\",\"The sun is shinning\") OR indicator.metadata contains:anycase (\"SERIOUSLYMSFT\",\"50d185b9-fff3-4656-92c7-e4018da4361d\",\"\\\\pipe\\\\REDSUN\",\"\\\\Temp\\\\RS-{\")) NOT (tgt.file.path contains:anycase (\"\\\\WinSxS\\\\\",\"\\\\servicing\\\\\",\"\\\\SoftwareDistribution\\\\\",\"\\\\DriverStore\\\\\",\"\\\\Windows\\\\Installer\\\\\",\"\\\\Windows\\\\assembly\\\\\",\"\\\\Windows Defender\\\\Quarantine\\\\\",\"\\\\Windows Defender\\\\Platform\\\\\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtPaths=array_agg_distinct(tgt.file.path), UniqueIndMeta=array_agg_distinct(indicator.metadata, 10) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, indicator.name\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtPaths = UniqueTgtPaths.to_string(', '), AllIndMeta = UniqueIndMeta.to_string(' | ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtPaths, indicator.name, AllIndMeta, Count\n| sort -Count\n| limit 100000"
+    },
     {
         "category": "Execution & LOLBAS",
         "name": "Usage Of Sysinternals Tools",
