This analytic rule targets the identification of named-pipe impersonation techniques used for privilege escalation, specifically linked with malicious frameworks such as Cobalt Strike. The rule observes command-line activities where `cmd.exe` executes commands utilizing `echo` to send output to a named pipe, an action indicative of attempts to escalate privileges within the system. The detection employs various key data sources, primarily focused on Endpoint Detection and Response (EDR) telemetry, which captures detailed process information and command-line executions. Such activities are crucial signals of potential insider threats or malware operations aiming to enhance user privileges, thereby enabling additional attacks or persistence mechanisms within the environment.