This detection rule identifies the execution of PowerShell through the creation of named pipes prefixed with 'PSHost'. This method is often utilized by attackers to execute PowerShell commands in a stealthy manner, making it important to monitor for such instances. The rule focuses on monitoring the events generated by Sysmon, specifically Events ID 17 and ID 18, which capture named pipe creation. To successfully implement this rule, users must ensure that they have configured Sysmon to log Named Pipe events. The rule utilizes a simple condition to detect any named pipe with the specified prefix, serving as an indicator of potential malicious PowerShell execution. Given that PowerShell is a widely used tool for both legitimate administration and malicious activity, monitoring its invocation via named pipes can help in detecting and responding to unauthorized activities. The false-positive rate is reported to be likely, suggesting that this rule may trigger on legitimate uses under certain conditions.