From e19927bc33beaaaa3effcb535e86979809299691 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Fri, 17 Apr 2026 10:51:19 +0200
Subject: [PATCH 1/3] Add rule for RedSun privilege escalation POC

---
 yara/hktl_redsun_apr26.yar | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 yara/hktl_redsun_apr26.yar

diff --git a/yara/hktl_redsun_apr26.yar b/yara/hktl_redsun_apr26.yar
new file mode 100644
index 00000000..82cfeabe
--- /dev/null
+++ b/yara/hktl_redsun_apr26.yar
@@ -0,0 +1,23 @@
+rule HKTL_RedSun_Privilege_Escalation_Apr26 {
+   meta:
+      description = "Detects RedSun hacktool used for privilege escalation through Microsoft Defender."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-04-16"
+      reference = "https://github.com/Nightmare-Eclipse/RedSun"
+      hash = "57a70c383feb9af60b64ab6768a1ca1b3f7394b8c5ffdbfafc8e988d63935120"
+      score = 80
+   strings:
+      $x1 = "\\??\\pipe\\REDSUN" wide
+      $x2 = "The red sun shall prevail.\n" ascii fullword
+      $x3 = "\\RedSun.pdb" ascii
+
+      $s1 = "\\System32\\TieringEngineService.exe" wide
+      $s2 = "SERIOUSLYMSFT" wide
+      $s3 = "*H+H$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE$}7)CC7)^P(45XZP\\4[PA@%P!O5X" ascii
+   condition:
+      uint16(0) == 0x5a4d
+      and (
+         1 of ($x*)
+         or 2 of ($s*)
+      )
+}

From cfcb4a1767064802bedb7b3547aafbf5df7868c5 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 17 Apr 2026 12:51:39 +0200
Subject: [PATCH 2/3] Update hktl_redsun_apr26.yar

---
 yara/hktl_redsun_apr26.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/yara/hktl_redsun_apr26.yar b/yara/hktl_redsun_apr26.yar
index 82cfeabe..97ee1aa2 100644
--- a/yara/hktl_redsun_apr26.yar
+++ b/yara/hktl_redsun_apr26.yar
@@ -20,4 +20,5 @@ rule HKTL_RedSun_Privilege_Escalation_Apr26 {
          1 of ($x*)
          or 2 of ($s*)
       )
+      or 3 of them
 }

From e841376c5a882497151d2d6bf75fd46784660c1f Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 17 Apr 2026 12:54:26 +0200
Subject: [PATCH 3/3] fix: FPs

---
 yara/generic_anomalies.yar | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/yara/generic_anomalies.yar b/yara/generic_anomalies.yar
index db409081..3759f4fe 100644
--- a/yara/generic_anomalies.yar
+++ b/yara/generic_anomalies.yar
@@ -215,12 +215,13 @@ rule Suspicious_Size_java_exe {
       author = "Florian Roth (Nextron Systems)"
       score = 60
       date = "2015-12-21"
+      modified = "2026-03-30"
       noarchivescan = 1
       id = "b6dc297b-8388-5e39-ba77-c027cdea7afa"
    condition:
       uint16(0) == 0x5a4d
       and filename == "java.exe"
-      and (filesize < 30KB or filesize > 900KB)
+      and (filesize < 30KB or filesize > 1500KB)
 }
 
 rule Suspicious_Size_lsass_exe {