This rule aims to detect the use of the default named pipe associated with PAExec, a command-line tool that allows users to execute processes on remote systems. The default named pipe for PAExec is a known vector for command and control (C2) behaviors used by attackers. In environments where Sysmon is deployed and configured to log named pipe events (specifically Event ID 17 and Event ID 18), detections will trigger on events where pipe names start with '\PAExec'. If not already in place, users are encouraged to review and ensure their Sysmon configurations are appropriate for catching these events. Relevant references include configurations that can enhance detection efficacy and tools for testing named pipe functionalities. The rule is intended for Windows environments and employs a medium severity level, which suggests that while it is a noteworthy behavior, further context is usually required to assess criticality. False positives may occur, particularly if legitimate use of PAExec is common within the organization.