The detection rule "HackTool - CoercedPotato Named Pipe Creation" is designed to identify the activity of the CoercedPotato hacking tool by monitoring for specific named pipe creation patterns in Windows environments. CoercedPotato is typically used for privilege escalation attacks, leveraging named pipes to execute arbitrary code with elevated permissions. The rule specifically looks for named pipes that contain the string '\coerced\', which is indicative of the tool's operation. To implement this detection, users must enable logging for named pipe events via Sysmon configurations, particularly focusing on Event IDs 17 and 18. It is critical that the Sysmon logging is correctly set up, utilizing configurations from sources like the popular sysmon-config GitHub repository to ensure comprehensive coverage of these events. Additionally, testing the detection can be performed using PowerShell scripts that simulate the named pipe interactions associated with the CoercedPotato tool. Given its high level of detection sensitivity, this rule aims to mitigate risks pertaining to unauthorized privilege escalations within Windows systems.