KQL Search

Query Details

HomeAI ToolsDevice Query

Defender Red Sun Detection Named Pipe Detection

Query

//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
DeviceEvents
| where ActionType contains "NamedPipeEvent"
| where parse_json(AdditionalFields)["RemoteClientsAccess"] == 'AcceptRemote'
//| where parse_json(AdditionalFields)["PipeName"] == @'\Device\NamedPipe\REDSUN' //Low Fidelity Named Pipe (Line 518 in Code) Name can be changed but included here
| where parse_json(AdditionalFields)["DesiredAccess"] == '1704351' //Technically Access Mask can be modified
| where InitiatingProcessAccountName != @"system" and InitiatingProcessAccountName != "network service" and AccountSid != @"S-1-5-18"//PoC is from unprivileged User
| where parse_json(AdditionalFields)["FileOperation"] == 'File created'
| where InitiatingProcessVersionInfoCompanyName != @"Microsoft Corporation" //File created that created the namedpipe is the RedSun.exe binary (filename can be renamed)

Explanation

This KQL (Kusto Query Language) query is designed to detect a specific suspicious activity pattern related to a potential security exploit. Here's a simplified breakdown of what the query does:

  1. Data Source: The query is examining DeviceEvents, which likely contains logs of various events occurring on devices.

  2. Named Pipe Event: It filters for events where the ActionType includes "NamedPipeEvent". Named pipes are a method for inter-process communication, and monitoring them can help detect unusual activities.

  3. Remote Access: It checks if the named pipe event allows remote clients to access it by looking for RemoteClientsAccess set to 'AcceptRemote'.

  4. Access Rights: The query filters for events where the DesiredAccess is '1704351'. This is a specific access mask, indicating certain permissions that might be suspicious or indicative of an exploit attempt.

  5. User Privilege Check: It ensures that the event was not initiated by privileged accounts like "system" or "network service", and the AccountSid is not the well-known SID for the local system account (S-1-5-18). This implies the event is initiated by a less privileged user, which could be part of an escalation attempt.

  6. File Operation: It looks for events where a file was created (FileOperation is 'File created').

  7. Company Name Check: The query excludes events where the initiating process's company name is "Microsoft Corporation". This suggests that the file creation event is not from a Microsoft-signed binary, which could indicate a suspicious or unauthorized executable, such as the RedSun.exe mentioned in the comments.

Overall, this query is designed to identify potential exploitation attempts where a non-privileged user creates a named pipe that allows remote access and is associated with a non-Microsoft binary, possibly indicating malicious activity.

Details

Jay Kerai profile picture

Jay Kerai

Released: April 16, 2026

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

DeviceEventswherecontainsparse_json==!=and@

Actions