Sysmon - not logging "Pipe created" events (Event 17)

tim 1 Reputation point
2020-11-25T15:49:58.133+00:00

Hello!

We have tried to generate/reproduce Event 17:
<event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
With no success

Env:
Microsoft Windows 10 Enterprise 10.0.18363

Sysmon binary:
12.02, 12.03

Config:

<Sysmon schemaversion="4.40">
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation></CheckRevocation>
<DnsLookup>True</DnsLookup>
<ArchiveDirectory>Archive</ArchiveDirectory>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
<FileCreateTime onmatch="include"></FileCreateTime>
<NetworkConnect onmatch="include"></NetworkConnect>
<ProcessTerminate onmatch="include"></ProcessTerminate>
<DriverLoad onmatch="include"></DriverLoad>
<ImageLoad onmatch="include"></ImageLoad>
<CreateRemoteThread onmatch="include"></CreateRemoteThread>
<RawAccessRead onmatch="include"></RawAccessRead>
<ProcessAccess onmatch="include"></ProcessAccess>
<FileCreate onmatch="include"></FileCreate>
<RegistryEvent onmatch="include"></RegistryEvent>
<FileCreateStreamHash onmatch="include"></FileCreateStreamHash>
<PipeEvent onmatch="exclude"></PipeEvent>
<WmiEvent onmatch="exclude"></WmiEvent>
<DnsQuery onmatch="include"></DnsQuery>
<FileDelete onmatch="include"></FileDelete>
<ClipboardChange onmatch="include"></ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>

PS test1:

$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$pipename="c5da0676f"
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pipename,"InOut", 10, "Byte", "None", 1024, 1024, $PipeSecurity)
$PipeHandle = $pipe.SafePipeHandle.DangerousGetHandle()

PS test2:

$pipe=new-object System.IO.Pipes.NamedPipeServerStream("\.\pipe\Wulf");
$pipe.WaitForConnection();
$sr = new-object System.IO.StreamReader($pipe);
while (($cmd= $sr.ReadLine()) -ne 'exit'){$cmd};
$sr.Dispose();
$pipe.Dispose();

Pipes created above are tackable via pipelist tool, but no events (17) are generated via sysmon

For Sysmon 11.10 everything works as expected

Please let us know if this is known problem, and it going to be addressed in future releases or not

P.S. syssite@microsoft.com returning bouncebacks, any replacement?

Many thanks!

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,095 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. dstaulcu 351 Reputation points
    2020-12-06T20:01:05.71+00:00

    Your configuration content does not load for me with Sysmon v12.03. It does not make sense to me that you would include multiple event types in a single rule group.

    With that in mind, I commented out all eventtypes except PipeEvent from the rule group in your configuration content. After doing so the config file merged just fine and sysmon 12.03 logged activities of your pipe creation method.

    I had a hard time wrapping my brain around rule groups and compound rule groups. In case that is a challenge for you too, here is a blog entry where MarkC describes the enhancement in detail. Here also is a powershell script I use to generate sysmon config templates for an installed version of sysmon. The templates have placeholders for rule groups and compound rules.

    1 person found this answer helpful.
    0 comments