Detects RedSun privilege escalation activity on Windows endpoints where the legitimate TieringEngineService.exe is replaced by a malicious binary, which then spawns a SYSTEM-level shell in the attacker’s session (e.g., conhost.exe, cmd.exe, PowerShell, etc.). The rule flags a suspicious child-process chain initiated by TieringEngineService.exe, where the parent process (TieringEngineService.exe) launches common shell or utility processes (bitsadmin.exe, cmd.exe, conhost.exe, cscript.exe, curl.exe, powershell.exe, pwsh.exe, rundll32.exe, wmic.exe) or their process-name variants, executed under SYSTEM or AUTHORITY user contexts. Implemented as a Splunk detection over the Endpoint Processes data model, it uses tstats to compute first and last times and groups results by destination, user, and process metadata (original_file_name, parent_process, process_name, process, etc.). The search relies on endpoint telemetry from Sysmon (Event ID 1), Windows Security log event 4688, and CrowdStrike ProcessRollup2 to identify process creations that match the described lineage. This aligns with MITRE ATT&CK technique T1068 (Privilege Escalation) and is associated with RedSun activity (including CVE-2026-33825). References include the RedSun repository and Huntress coverage. The rule provides drill-downs to view detection results per destination and to surface risk context for the last 7 days. False positives are not currently documented. Implementation notes emphasize ingesting complete command lines and parent/child process relationships from EDR telemetry, mapping logs to the Endpoint CIM data model, and normalizing field names for faster data modeling and correlation across security products. An evidence-based unit test uses RedSun attack data (Sysmon) to validate true positives.