This detection rule identifies the creation of a default named pipe associated with the DiagTrackEoP proof of concept (PoC), which exploits the SeImpersonate privilege in Windows systems. The DiagTrackEoP tool is designed to escalate privileges, thereby allowing malicious actors to potentially gain higher-level access within a Windows environment. The detection mechanism relies on monitoring specific named pipe events through Sysmon, particularly Events ID 17 and 18, which must be configured properly to ensure accurate logging. The rule triggers when a named pipe containing the string 'thisispipe' is detected, indicating possible misuse of this PoC. It is crucial to use established Sysmon configuration templates or verify the logging setup to ensure comprehensive monitoring of such events.