Defender Red Sun Detection Named Pipe Detection
Query
//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
DeviceEvents
| where ActionType contains "NamedPipeEvent"
| where parse_json(AdditionalFields)["RemoteClientsAccess"] == 'AcceptRemote'
//| where parse_json(AdditionalFields)["PipeName"] == @'\Device\NamedPipe\REDSUN' //Low Fidelity Named Pipe (Line 518 in Code) Name can be changed but included here
| where parse_json(AdditionalFields)["DesiredAccess"] == '1704351' //Technically Access Mask can be modified
| where InitiatingProcessAccountName != @"system" and InitiatingProcessAccountName != "network service" and AccountSid != @"S-1-5-18"//PoC is from unprivileged User
| where parse_json(AdditionalFields)["FileOperation"] == 'File created'
| where InitiatingProcessVersionInfoCompanyName != @"Microsoft Corporation" //File created that created the namedpipe is the RedSun.exe binary (filename can be renamed)Explanation
This KQL (Kusto Query Language) query is designed to detect a specific suspicious activity pattern related to a potential security exploit. Here's a simplified breakdown of what the query does:
-
Data Source: The query is examining
DeviceEvents, which likely contains logs of various events occurring on devices. -
Named Pipe Event: It filters for events where the
ActionTypeincludes "NamedPipeEvent". Named pipes are a method for inter-process communication, and monitoring them can help detect unusual activities. -
Remote Access: It checks if the named pipe event allows remote clients to access it by looking for
RemoteClientsAccessset to 'AcceptRemote'. -
Access Rights: The query filters for events where the
DesiredAccessis '1704351'. This is a specific access mask, indicating certain permissions that might be suspicious or indicative of an exploit attempt. -
User Privilege Check: It ensures that the event was not initiated by privileged accounts like "system" or "network service", and the
AccountSidis not the well-known SID for the local system account (S-1-5-18). This implies the event is initiated by a less privileged user, which could be part of an escalation attempt. -
File Operation: It looks for events where a file was created (
FileOperationis 'File created'). -
Company Name Check: The query excludes events where the initiating process's company name is "Microsoft Corporation". This suggests that the file creation event is not from a Microsoft-signed binary, which could indicate a suspicious or unauthorized executable, such as the
RedSun.exementioned in the comments.
Overall, this query is designed to identify potential exploitation attempts where a non-privileged user creates a named pipe that allows remote access and is associated with a non-Microsoft binary, possibly indicating malicious activity.
Details

Jay Kerai
Released: April 16, 2026
Tables
Keywords
Operators