Event ID 18 — PipeEvent (Pipe Connected)
Description
This event logs when a named pipe connection is made between a client and a server.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | The type of pipe event (ConnectPipe) |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that connected the pipe |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that connected the pipe |
PipeName UnicodeString → string | Name of the pipe connected |
Image UnicodeString → string | File path of the process that connected the pipe |
User UnicodeString → string | The name of the account that made a named pipe connection. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 18,
"version": 1,
"level": 4,
"task": 18,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:25.137463+00:00",
"event_record_id": 1441110,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "ConnectPipe",
"UtcTime": "2023-11-06 02:04:25.084",
"ProcessGuid": "E56ADA26-17F7-6548-5800-000000000D00",
"ProcessId": 4404,
"PipeName": "\\wkssvc",
"Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"User": "NT AUTHORITY\\NETWORK SERVICE"
},
"message": ""
}
Detection Patterns #
Named Pipe
23 rules
Sigma
Show 13 more (16 total)
Splunk
Show 2 more (5 total)
Named Pipe
19 rules
Sigma
Splunk
Show 6 more (9 total)
Named Pipe
Defender-DeviceEvents Event ID 9007006: Named pipe eventORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
15 rules
Sigma
Splunk
Show 3 more (6 total)
Kusto Query Language
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Collection: Data from Local System
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches:Event ID 17: PipeEvent (Pipe Created)
Kusto Query Language # view in reference
- ADFS Database Named Pipe Connection source medium: 'This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"'