Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,731

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 3.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

RedSun - Named Pipe Created

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

RedSun - Named Pipe Created

Using Splunk · Default · sigma-cli 3.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion3.0.2
title: RedSun - Named Pipe Created
id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
status: experimental
description: |
    Detects the creation of a named pipe with the hardcoded name "REDSUN".
    The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
    RedSun creates the pipe as \\??\pipe\REDSUN.
    The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
    Presence of this pipe name indicates active or recent RedSun execution.
references:
    - https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
    - https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
    - attack.privilege-escalation
    - attack.t1055
    - attack.t1562.001
    - attack.defense-evasion
    - detection.emerging-threats
logsource:
    category: pipe_created
    product: windows
detection:
    selection:
        PipeName: '\REDSUN'
    condition: selection
falsepositives:
    - Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml