locked
Sysmon - not logging "Pipe created" events (Event 17) RRS feed

  • Question

  • Hello!

    We have tried to generate/reproduce Event 17:
    <event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
    With no success

    Env:
    Microsoft Windows 10 Enterprise 10.0.18363

    Sysmon binary:
    12.02, 12.03

    Config:

    <Sysmon schemaversion="4.40">        <HashAlgorithms>*</HashAlgorithms>        <CheckRevocation></CheckRevocation>        <DnsLookup>True</DnsLookup>        <ArchiveDirectory>Archive</ArchiveDirectory>                <EventFiltering>                <RuleGroup name="" groupRelation="or">                        <ProcessCreate onmatch="exclude">                        </ProcessCreate>                        <FileCreateTime onmatch="include">                        </FileCreateTime>                        <NetworkConnect onmatch="include">                        </NetworkConnect>                        <ProcessTerminate onmatch="include">                        </ProcessTerminate>                        <DriverLoad onmatch="include">                        </DriverLoad>                        <ImageLoad onmatch="include">                        </ImageLoad>                        <CreateRemoteThread onmatch="include">                        </CreateRemoteThread>                        <RawAccessRead onmatch="include">                        </RawAccessRead>                        <ProcessAccess onmatch="include">                        </ProcessAccess>                        <FileCreate onmatch="include">                                                </FileCreate>                        <RegistryEvent onmatch="include">                        </RegistryEvent>                        <FileCreateStreamHash onmatch="include">                        </FileCreateStreamHash>                        <PipeEvent onmatch="exclude">                        </PipeEvent>                        <WmiEvent onmatch="exclude">                        </WmiEvent>                        <DnsQuery onmatch="include">                        </DnsQuery>                        <FileDelete onmatch="include">                        </FileDelete>                        <ClipboardChange onmatch="include">                        </ClipboardChange>                </RuleGroup>        </EventFiltering></Sysmon>

    PS test1:

    $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )$pipename="c5da0676f"$pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pipename,"InOut", 10, "Byte", "None", 1024, 1024, $PipeSecurity)$PipeHandle = $pipe.SafePipeHandle.DangerousGetHandle()

    PS test2:

    $pipe=new-object System.IO.Pipes.NamedPipeServerStream("\\.\pipe\Wulf");$pipe.WaitForConnection();$sr = new-object System.IO.StreamReader($pipe);while (($cmd= $sr.ReadLine()) -ne 'exit'){$cmd};$sr.Dispose();$pipe.Dispose();

    Pipes created above are tackable via pipelist tool, but no events (17) are generated via sysmon

    For Sysmon 11.10 everything works as expected

    Please let us know if this is known problem, and it going to be addressed in future releases or not

    P.S. syssite@microsoft.com returning bouncebacks, any replacement?

    Many thanks!

    Wednesday, November 25, 2020 3:44 PM

All replies


  • sysmon v12.03 was unable to load your configuration file content for me.

    your rule content has all input types nested in one rule group.   I usually create 1 or 2 rule groups for each input type.

    Here is what my configuration xml looks like for named pipe testing.

    <Sysmon schemaversion="4.40">
    	<EventFiltering>
    
    		<!--SYSMON EVENT ID 1 : Process Create [ProcessCreate]-->
    		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, FileVersion, Description, Product, Company, OriginalFileName, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
    
    		<RuleGroup name="" groupRelation="or">
    			<ProcessCreate onmatch="include">
    			</ProcessCreate>
    		</RuleGroup>
    
    		<!--SYSMON EVENT ID 17 : Pipe Created [PipeEvent]-->
    		<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
    
    		<!--SYSMON EVENT ID 18 : Pipe Connected [PipeEvent]-->
    		<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
    
    		<RuleGroup name="" groupRelation="or">
    			<PipeEvent onmatch="exclude">
    			</PipeEvent>
    		</RuleGroup>
    
    	</EventFiltering>
    
    </Sysmon>

    I use the following script here to start with new sysmon configs.  Similar to your pipe event example code, I use the code here to do my own function testing of new sysmon releases. 


    • Edited by dstaulcu Saturday, December 5, 2020 3:56 PM links
    Friday, December 4, 2020 2:55 AM