Hello!
We have tried to generate/reproduce Event 17:
<event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
With no success
Env:
Microsoft Windows 10 Enterprise 10.0.18363
Sysmon binary:
12.02, 12.03
Config:
<Sysmon schemaversion="4.40">
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation></CheckRevocation>
<DnsLookup>True</DnsLookup>
<ArchiveDirectory>Archive</ArchiveDirectory>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
<FileCreateTime onmatch="include"></FileCreateTime>
<NetworkConnect onmatch="include"></NetworkConnect>
<ProcessTerminate onmatch="include"></ProcessTerminate>
<DriverLoad onmatch="include"></DriverLoad>
<ImageLoad onmatch="include"></ImageLoad>
<CreateRemoteThread onmatch="include"></CreateRemoteThread>
<RawAccessRead onmatch="include"></RawAccessRead>
<ProcessAccess onmatch="include"></ProcessAccess>
<FileCreate onmatch="include"></FileCreate>
<RegistryEvent onmatch="include"></RegistryEvent>
<FileCreateStreamHash onmatch="include"></FileCreateStreamHash>
<PipeEvent onmatch="exclude"></PipeEvent>
<WmiEvent onmatch="exclude"></WmiEvent>
<DnsQuery onmatch="include"></DnsQuery>
<FileDelete onmatch="include"></FileDelete>
<ClipboardChange onmatch="include"></ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>
PS test1:
$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$pipename="c5da0676f"
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pipename,"InOut", 10, "Byte", "None", 1024, 1024, $PipeSecurity)
$PipeHandle = $pipe.SafePipeHandle.DangerousGetHandle()
PS test2:
$pipe=new-object System.IO.Pipes.NamedPipeServerStream("\.\pipe\Wulf");
$pipe.WaitForConnection();
$sr = new-object System.IO.StreamReader($pipe);
while (($cmd= $sr.ReadLine()) -ne 'exit'){$cmd};
$sr.Dispose();
$pipe.Dispose();
Pipes created above are tackable via pipelist tool, but no events (17) are generated via sysmon
For Sysmon 11.10 everything works as expected
Please let us know if this is known problem, and it going to be addressed in future releases or not
P.S. syssite@microsoft.com returning bouncebacks, any replacement?
Many thanks!