KQL Search

Query Details

HomeAI ToolsDevice Query

Defender Red Sun Detection Named Pipe Detection Correlated To Anti Virus Detection

Query

//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
//Detection essentially combines https://github.com/jkerai1/KQL-Queries/blob/main/Defender/Defender%20-RedSun%20Detection%20-%20Antivirus%20Detection%20in%20TieringEngineService.kql%20- with the named pipe creation detection here https://github.com/jkerai1/KQL-Queries/blob/main/Defender/Defender%20-RedSun%20Detection%20-%20NamedPipe%20Detection.kql 
//Credit: https://thecollective.eu/detecting-redsun-local-privilege-escalation/
let Lookback = 4h;

let deviceEvents = materialize(

    DeviceEvents
    | where TimeGenerated > ago(Lookback)
    | where ActionType == “NamedPipeEvent” or ActionType == “AntivirusDetection”

);
deviceEvents
| where ActionType == “NamedPipeEvent”
| where tostring(parse_json(AdditionalFields).FileOperation) in (“File created”, “File Opened”)
| join kind=inner (deviceEvents| where ActionType == “AntivirusDetection”) on InitiatingProcessId and InitiatingProcessSHA256 and DeviceId
| join kind=inner (DeviceProcessEvents| where InitiatingProcessFolderPath contains “System32″| where InitiatingProcessIntegrityLevel == “System”) on DeviceId and InitiatingProcessSHA256

Explanation

This KQL (Kusto Query Language) query is designed to detect a specific type of security threat, known as the "RedSun" local privilege escalation, by analyzing device events within a specified time frame. Here's a simplified breakdown of what the query does:

  1. Lookback Period: The query examines device events from the last 4 hours.

  2. Event Collection: It gathers events from the DeviceEvents table where the event type is either a "NamedPipeEvent" or an "AntivirusDetection".

  3. Named Pipe Events: It filters these events to find those where a file was either created or opened, as indicated by the FileOperation field in the AdditionalFields JSON.

  4. Antivirus Detection: It looks for events where antivirus detection has occurred.

  5. Joining Events: The query then joins these filtered events based on common identifiers like InitiatingProcessId, InitiatingProcessSHA256, and DeviceId. This helps correlate named pipe events with antivirus detections.

  6. System-Level Processes: It further refines the results by joining with DeviceProcessEvents to find processes that are running from the "System32" folder with a system-level integrity, indicating high privilege.

The query is essentially trying to identify suspicious activity that involves creating or opening files via named pipes, which coincides with antivirus detections, and is executed by high-privilege processes. This combination of factors could indicate an attempt to exploit the system for privilege escalation.

Details

Jay Kerai profile picture

Jay Kerai

Released: April 17, 2026

Tables

DeviceEventsDeviceProcessEvents

Keywords

DeviceEventsActionTypeAdditionalFieldsFileOperationInitiatingProcessIdInitiatingProcessSHA256DeviceIdDeviceProcessEventsInitiatingProcessFolderPathInitiatingProcessIntegrityLevelSystem

Operators

letmaterializewhereagoortostringparse_jsoninjoinoncontains

Actions