EXPLORE
Sign In
← Back to Explore
kqlHunting

Defender -RedSun Detection - NamedPipe Detection

https://github.com/Nightmare-Eclipse/RedSun

Detection Query

//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
DeviceEvents
| where ActionType contains "NamedPipeEvent"
| where parse_json(AdditionalFields)["RemoteClientsAccess"] == 'AcceptRemote'
//| where parse_json(AdditionalFields)["PipeName"] == @'\Device\NamedPipe\REDSUN' //Low Fidelity Named Pipe (Line 518 in Code) Name can be changed but included here
| where parse_json(AdditionalFields)["DesiredAccess"] == '1704351' //Technically Access Mask can be modified
| where InitiatingProcessAccountName != @"system" and InitiatingProcessAccountName != "network service" and AccountSid != @"S-1-5-18"//PoC is from unprivileged User
| where parse_json(AdditionalFields)["FileOperation"] == 'File created'
| where InitiatingProcessVersionInfoCompanyName != @"Microsoft Corporation" //File created that created the namedpipe is the RedSun.exe binary (filename can be renamed)

Data Sources

DeviceEvents

Platforms

windowsmicrosoft-defender

Tags

defenderdetection
Raw Content
//https://github.com/Nightmare-Eclipse/RedSun
//Uses a Defender detection to escalate to system. Note I couldn't get this exploit in MDE. It will fail to request a batch oplock on the update file.
// The binary/code supplied in repo uses an EICAR signature but a threatactor could subs this for anything so long as defender is triggered.
//Code will back out if real time monitoring is not enabled.
DeviceEvents
| where ActionType contains "NamedPipeEvent"
| where parse_json(AdditionalFields)["RemoteClientsAccess"] == 'AcceptRemote'
//| where parse_json(AdditionalFields)["PipeName"] == @'\Device\NamedPipe\REDSUN' //Low Fidelity Named Pipe (Line 518 in Code) Name can be changed but included here
| where parse_json(AdditionalFields)["DesiredAccess"] == '1704351' //Technically Access Mask can be modified
| where InitiatingProcessAccountName != @"system" and InitiatingProcessAccountName != "network service" and AccountSid != @"S-1-5-18"//PoC is from unprivileged User
| where parse_json(AdditionalFields)["FileOperation"] == 'File created'
| where InitiatingProcessVersionInfoCompanyName != @"Microsoft Corporation" //File created that created the namedpipe is the RedSun.exe binary (filename can be renamed)