Event ID 17 — PipeEvent (Pipe Created)
Description
This event generates when a named pipe is created.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | The type of pipe event (CreatePipe) |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created the pipe |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created the pipe |
PipeName UnicodeString → string | Name of the pipe created |
Image UnicodeString → string | File path of the process that created the pipe |
User UnicodeString → string | The name of the account that created the named pipe. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 17,
"version": 1,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:02:24.642500+00:00",
"event_record_id": 1433023,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreatePipe",
"UtcTime": "2023-11-06 02:02:24.630",
"ProcessGuid": "E56ADA26-1A27-6548-3001-000000000D00",
"ProcessId": 876,
"PipeName": "\\LOCAL\\mojo.876.3204.14485637353733294330",
"Image": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\119.0.2151.44\\msedgewebview2.exe",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Patterns #
Named Pipe
23 rules
Sigma
Show 13 more (16 total)
Splunk
Show 2 more (5 total)
Named Pipe
19 rules
Sigma
Splunk
Show 6 more (9 total)
Named Pipe
Defender-DeviceEvents Event ID 9007006: Named pipe eventORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
15 rules
Sigma
Splunk
Show 3 more (6 total)
Kusto Query Language
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches:Event ID 18: PipeEvent (Pipe Connected)
Elastic # view in reference
- Privilege Escalation via Rogue Named Pipe Impersonation source high: Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.