RedSun - Named Pipe Created

 1title: RedSun - Named Pipe Created
 2id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
 3status: experimental
 4description: |
 5    Detects the creation of a named pipe with the hardcoded name "REDSUN".
 6    The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
 7    RedSun creates the pipe as \\??\pipe\REDSUN.
 8    The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
 9    Presence of this pipe name indicates active or recent RedSun execution.    
10references:
11    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
12    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
13author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
14date: 2026-04-17
15tags:
16    - attack.privilege-escalation
17    - attack.stealth
18    - attack.defense-impairment
19    - attack.t1055
20    - attack.t1685
21    - detection.emerging-threats
22logsource:
23    category: pipe_created
24    product: windows
25detection:
26    selection:
27        PipeName: '\REDSUN'
28    condition: selection
29falsepositives:
30    - Unlikely
31level: critical
32regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml