Defender Red Sun Detection Tiering Engine Service Created In App Data
Query
//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName == "TieringEngineService.exe" //Binary creates its own File in DoCloudStuff()
| where FolderPath contains @"\AppData\" //File Created here but legitimate binary is in System32 pathExplanation
This KQL (Kusto Query Language) query is designed to monitor and detect suspicious file creation activities on a device. Here's a simple breakdown of what the query does:
-
Data Source: The query is examining data from
DeviceFileEvents, which logs file-related activities on a device. -
Filter by Action: It filters the events to only include those where a file was created (
ActionType == "FileCreated"). -
Specific File Name: It further narrows down the results to only include events where the file created is named
TieringEngineService.exe. -
Location Check: It checks if the file was created in a folder path that contains
\AppData\. This is suspicious because the legitimate version of this binary is expected to be in theSystem32directory, notAppData.
The comments in the query provide additional context:
- The query is related to a potential exploit that uses Microsoft Defender detections to escalate privileges to the system level.
- The exploit involves creating a file with a specific name in an unusual location to trigger Defender's real-time monitoring.
- The code in the repository uses an EICAR test signature, but a real attacker could substitute this with any payload that triggers Defender.
- The exploit will not proceed if real-time monitoring by Defender is not enabled.
Overall, this query is part of a security monitoring effort to detect potentially malicious activities involving file creation in unexpected locations, which could indicate an attempt to exploit system vulnerabilities.
Details

Jay Kerai
Released: April 16, 2026
Tables
Keywords
Operators