Data Source: Sysmon EventID 18

Date: 2026-05-13

ID: 37eb3554-214e-4e66-af10-c3ffc5b8ca82

Author: Patrick Bareiss, Splunk

Description

Logs the connection to a named pipe, including details about the pipe name, source and destination processes, and communication direction.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Trickbot Named Pipe	Process Injection	TTP
Windows Anonymous Pipe Activity	Inter-Process Communication	Hunting
Windows Suspicious Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Application Layer Protocol	TTP
Windows App Layer Protocol Wermgr Connect To NamedPipe	Application Layer Protocol	Anomaly
Windows Suspicious C2 Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Windows RMM Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	Anomaly
Windows App Layer Protocol Qakbot NamedPipe	Application Layer Protocol	Anomaly
Windows PUA Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">PipeName</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">pipe_name</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>18</EventID><Version>1</Version><Level>4</Level><Task>18</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-04-19T21:00:19.312721800Z'/><EventRecordID>162173</EventRecordID><Correlation/><Execution ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>ConnectPipe</Data><Data Name='UtcTime'>2021-04-19 21:00:19.312</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>

Required Output Fields

dest
dvc
pipe_name
process_exec
process_guid
process_id
process_name
process_path
signature
signature_id
user_id
vendor_product

Source: GitHub | Version: 4