Sysmon - not logging "Pipe created" events (Event 17)

tim 1 Reputation point


We have tried to generate/reproduce Event 17:
<event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
With no success

Microsoft Windows 10 Enterprise 10.0.18363

Sysmon binary:
12.02, 12.03


<Sysmon schemaversion="4.40">
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
<FileCreateTime onmatch="include"></FileCreateTime>
<NetworkConnect onmatch="include"></NetworkConnect>
<ProcessTerminate onmatch="include"></ProcessTerminate>
<DriverLoad onmatch="include"></DriverLoad>
<ImageLoad onmatch="include"></ImageLoad>
<CreateRemoteThread onmatch="include"></CreateRemoteThread>
<RawAccessRead onmatch="include"></RawAccessRead>
<ProcessAccess onmatch="include"></ProcessAccess>
<FileCreate onmatch="include"></FileCreate>
<RegistryEvent onmatch="include"></RegistryEvent>
<FileCreateStreamHash onmatch="include"></FileCreateStreamHash>
<PipeEvent onmatch="exclude"></PipeEvent>
<WmiEvent onmatch="exclude"></WmiEvent>
<DnsQuery onmatch="include"></DnsQuery>
<FileDelete onmatch="include"></FileDelete>
<ClipboardChange onmatch="include"></ClipboardChange>

PS test1:

$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pipename,"InOut", 10, "Byte", "None", 1024, 1024, $PipeSecurity)
$PipeHandle = $pipe.SafePipeHandle.DangerousGetHandle()

PS test2:

$pipe=new-object System.IO.Pipes.NamedPipeServerStream("\.\pipe\Wulf");
$sr = new-object System.IO.StreamReader($pipe);
while (($cmd= $sr.ReadLine()) -ne 'exit'){$cmd};

Pipes created above are tackable via pipelist tool, but no events (17) are generated via sysmon

For Sysmon 11.10 everything works as expected

Please let us know if this is known problem, and it going to be addressed in future releases or not

P.S. returning bouncebacks, any replacement?

Many thanks!

Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,032 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. dstaulcu 351 Reputation points

    Your configuration content does not load for me with Sysmon v12.03. It does not make sense to me that you would include multiple event types in a single rule group.

    With that in mind, I commented out all eventtypes except PipeEvent from the rule group in your configuration content. After doing so the config file merged just fine and sysmon 12.03 logged activities of your pipe creation method.

    I had a hard time wrapping my brain around rule groups and compound rule groups. In case that is a challenge for you too, here is a blog entry where MarkC describes the enhancement in detail. Here also is a powershell script I use to generate sysmon config templates for an installed version of sysmon. The templates have placeholders for rule groups and compound rules.

    1 person found this answer helpful.
    0 comments No comments