This detection rule identifies the creation or connection to suspicious Command and Control (C2) named pipes leveraged by various malware types on Windows systems. It utilizes Sysmon's Event Codes 17 and 18 to track named pipe events associated with known C2 frameworks. The rule filters out legitimate processes from the analysis to focus on potentially malicious activities. If an identified named pipe matches entries in a lookup table of suspicious pipe names, an alert is generated. This may indicate the presence of malware that is attempting to establish persistence or maintain command and control over a compromised system. To implement this detection effectively, one must ensure that logs with relevant details are sent from endpoints, particularly those running Sysmon version 6.0.4 or higher.