Detects vssvc.exe opening a handle to MsMpEng.exe by monitoring Windows Sysmon Event ID 10 (Process Access). In the RedSun intrusion scenario, VSS participates in a cloud-file restore race that causes Windows Defender (MsMpEng.exe) to be accessed in a suspicious context, implying potential privilege escalation or defense evasion. The rule flags events where TargetImage is MsMpEng.exe and SourceImage is vssvc.exe, a pattern not expected during normal Defender operation. The Splunk search aggregates by event fields (EventID, GrantedAccess, Guid, Opcode, ProcessID, and related process information) to surface first and last access times and to provide a concise view of the interaction between vssvc.exe and MsMpEng.exe. It relies on Sysmon logs and a Sysmon-based configuration, and includes a post-filter macro to reduce known false positives. The rule references RedSun and Huntress analyses and maps to MITRE ATT&CK T1068 (Exploitation for Privilege Escalation). It’s categorized for Endpoint protection and is relevant to Windows-based threats, with an associated CVE (CVE-2026-33825) and a test dataset for true-positive validation.