The CobaltStrike Named Pipe Pattern Regex detection rule is designed to identify the creation of named pipes that match specific patterns commonly associated with Cobalt Strike, a well-known penetration testing and red teaming tool. Named pipes in Windows serve as a means for interprocess communication, and attackers often leverage them to maintain command and control (C2) over compromised systems. This rule utilizes various regular expressions to match against potential named pipe names that may indicate malicious activity. Notably, it includes patterns that signify common Cobalt Strike Malleable C2 profiles, which adapt the tools used to match benign behaviors. To implement this detection mechanism, Sysmon must be configured to log named pipe events, specifically Events ID 17 and 18. The detections are categorized under high severity due to the criticality of early detection in preventing or mitigating successful exploitation. Recommended practices for validation include executing tests with Cobalt Strike or utilizing public scripts that simulate named pipe creation, thereby allowing analysts to verify the efficacy of the detection rule.