This rule is designed to detect the execution of credential dumping tools through the monitoring of named pipe creations on Windows systems. Named pipes are a method of inter-process communication on Windows, and various credential dumping tools utilize specific named pipes to facilitate their activities. This rule focuses on identifying the creation of named pipes that contain the keywords '\cachedump', '\lsadump', and '\wceservicepipe'. By tracking these named pipe creations (logged by Sysmon), security professionals can detect potentially malicious behavior indicative of credential harvesting attempts. To make this rule effective, appropriate logging must be enabled in Sysmon by configuring it to record Event IDs 17 and 18 for named pipe events. Given that the rule targets credential access techniques, it is crucial to differentiate between legitimate administrative use (such as password recovery tools) and malicious activities that compromise user credentials. The references provided offer context and further reading about hunting for credential dumping in Windows environments, assisting analysts in understanding the broader landscape of credential theft and protection strategies.