This detection rule identifies the execution of PsExec from suspicious locations through the monitoring of Named Pipe creation events in a Windows environment. The rule focuses on detecting when the PsExec service (PSEXESVC) is executed from directories that are generally recognized as potentially risky, such as 'C:\Users\Public\', 'C:\Windows\Temp\', 'C:\AppData\Local\Temp\', 'C:\Desktop\', and 'C:\Downloads\'. This behavior is indicative of possible misuse or malicious activity, as legitimate use of PsExec typically occurs from more secure directories. The detection utilizes Sysmon's logging capabilities to monitor Named Pipe events, specifically Event IDs 17 and 18. To ensure this rule functions properly, administrators must configure logging for Named Pipe events within their Sysmon configuration settings. Due to the rare legitimate cases of PsExec being executed from these locations, the rule will likely require tuning to minimize false positives in specific environments. This detection method aids organizations in identifying unauthorized use of PsExec, which is often exploited by attackers for lateral movement in a network.