question

tim-1106 avatar image
0 Votes"
tim-1106 asked dstaulcu edited

Sysmon - not logging "Pipe created" events (Event 17)

Hello!

We have tried to generate/reproduce Event 17:
<event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
With no success

Env:
Microsoft Windows 10 Enterprise 10.0.18363

Sysmon binary:
12.02, 12.03

Config:

<Sysmon schemaversion="4.40">
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation></CheckRevocation>
<DnsLookup>True</DnsLookup>
<ArchiveDirectory>Archive</ArchiveDirectory>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
<FileCreateTime onmatch="include"></FileCreateTime>
<NetworkConnect onmatch="include"></NetworkConnect>
<ProcessTerminate onmatch="include"></ProcessTerminate>
<DriverLoad onmatch="include"></DriverLoad>
<ImageLoad onmatch="include"></ImageLoad>
<CreateRemoteThread onmatch="include"></CreateRemoteThread>
<RawAccessRead onmatch="include"></RawAccessRead>
<ProcessAccess onmatch="include"></ProcessAccess>
<FileCreate onmatch="include"></FileCreate>
<RegistryEvent onmatch="include"></RegistryEvent>
<FileCreateStreamHash onmatch="include"></FileCreateStreamHash>
<PipeEvent onmatch="exclude"></PipeEvent>
<WmiEvent onmatch="exclude"></WmiEvent>
<DnsQuery onmatch="include"></DnsQuery>
<FileDelete onmatch="include"></FileDelete>
<ClipboardChange onmatch="include"></ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>

PS test1:

$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$pipename="c5da0676f"
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pipename,"InOut", 10, "Byte", "None", 1024, 1024, $PipeSecurity)
$PipeHandle = $pipe.SafePipeHandle.DangerousGetHandle()

PS test2:

$pipe=new-object System.IO.Pipes.NamedPipeServerStream("\.\pipe\Wulf");
$pipe.WaitForConnection();
$sr = new-object System.IO.StreamReader($pipe);
while (($cmd= $sr.ReadLine()) -ne 'exit'){$cmd};
$sr.Dispose();
$pipe.Dispose();

Pipes created above are tackable via pipelist tool, but no events (17) are generated via sysmon

For Sysmon 11.10 everything works as expected

Please let us know if this is known problem, and it going to be addressed in future releases or not

P.S. syssite@microsoft.com returning bouncebacks, any replacement?

Many thanks!

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

dstaulcu avatar image
0 Votes"
dstaulcu answered dstaulcu edited

Your configuration content does not load for me with Sysmon v12.03. It does not make sense to me that you would include multiple event types in a single rule group.

With that in mind, I commented out all eventtypes except PipeEvent from the rule group in your configuration content. After doing so the config file merged just fine and sysmon 12.03 logged activities of your pipe creation method.

I had a hard time wrapping my brain around rule groups and compound rule groups. In case that is a challenge for you too, here is a blog entry where MarkC describes the enhancement in detail. Here also is a powershell script I use to generate sysmon config templates for an installed version of sysmon. The templates have placeholders for rule groups and compound rules.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.