Sysmon Event ID 17

SourceSysmon

17: Pipe created

This is an event from Sysmon.

On this page

Named pipes are an inteprocess communication (IPC) method in Windows similar to Sockets/TCP.  Named pipes are possible to be used over the network but very uncommon given today's ubiquity of IP networks.  Name pipes are still used extensively for IPC between proceses on the same Windows system - including by malware components.  With this event Sysmon allows you to monitor the creation of named pipes which could be useful for detecting malware after footprint any harmless pipes created by legitimate programs.  SQL Server named pipes for instance are often used by local client processes.

This event shows the creation of named pipes on the server side of the pipe.  Event ID 18 documents any connections to the pipe by a client.

Free Security Log Resources by Randy

Description Fields in 17

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • Pipe Created
  • UtcTime
  • ProcessGuid
  • ProcessId
  • PipeName
  • Image

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 17

Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          4/11/2018 9:07:26 AM
Event ID:      17
Task Category: Pipe Created (rule: PipeEvent)
Level:         Information
Keywords:     
User:          SYSTEM
Computer:      rfsh.lab.local
Description:
Pipe Created:
UtcTime: 2018-04-11 16:07:26.244
ProcessGuid: {c47a3e70-32bd-5ace-0000-0010b1f39501}
ProcessId: 19564
PipeName: \testpipe
Image: C:\Users\rsmith\source\repos\namedpipecreate\namedpipecreate\bin\Debug\namedpipecreate.exe

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>17</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>17</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-04-11T16:07:26.245490100Z" />
    <EventRecordID>59596</EventRecordID>
    <Correlation />
    <Execution ProcessID="7620" ThreadID="21808" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>rfsh.lab.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="UtcTime">2018-04-11 16:07:26.244</Data>
    <Data Name="ProcessGuid">{C47A3E70-32BD-5ACE-0000-0010B1F39501}</Data>
    <Data Name="ProcessId">19564</Data>
    <Data Name="PipeName">\testpipe</Data>
    <Data
Name="Image">C:\Users\rsmith\source\repos\namedpipecreate\namedpipecreate\bin\Debug\namedpipecreate.exe</Data>
  </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources