RedSun - Named Pipe Created

Rule Info

Name
RedSun - Named Pipe Created
Author
Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
Description
Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \\??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.
Reference
https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
Date
2026-04-17 00:00:00
Modified
None
Id
9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
Tags
attack.privilege-escalation attack.stealth attack.defense-impairment attack.t1055 attack.t1685 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Swachchhanda Shrawan Poudel
Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators
2026-04-28
fcb2aead3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022