Data Source: Sysmon EventID 17

Date: 2025-07-10

ID: 08924246-c8e8-4c95-a9fc-633c43cc82df

Author: Patrick Bareiss, Splunk

Description

Sysmon EventID 17 logs details about the detection of a named pipe.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Trickbot Named Pipe	Process Injection	TTP
Windows Anonymous Pipe Activity	Inter-Process Communication	Hunting
Windows App Layer Protocol Qakbot NamedPipe	Application Layer Protocol	Anomaly
Windows App Layer Protocol Wermgr Connect To NamedPipe	Application Layer Protocol	Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Application Layer Protocol	TTP
Windows PUA Named Pipe	Inter-Process Communication, SMB/Windows Admin Shares, Process Injection	Anomaly
Windows RMM Named Pipe	Inter-Process Communication, SMB/Windows Admin Shares, Process Injection	Anomaly
Windows Suspicious C2 Named Pipe	Inter-Process Communication, SMB/Windows Admin Shares, Process Injection	TTP
Windows Suspicious Named Pipe	Inter-Process Communication, SMB/Windows Admin Shares, Process Injection	TTP

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">PipeName</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">pipe_name</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>17</EventID><Version>1</Version><Level>4</Level><Task>17</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-04-19T21:00:18.288457000Z'/><EventRecordID>162168</EventRecordID><Correlation/><Execution ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>CreatePipe</Data><Data Name='UtcTime'>2021-04-19 21:00:18.288</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>

Required Output Fields

dest
dvc
pipe_name
process_exec
process_guid
process_id
process_name
process_path
signature
signature_id
user_id
vendor_product

Source: GitHub | Version: 3

Data Source: Sysmon EventID 17

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields