This detection rule identifies new instances of remote named pipes that were not previously recognized, excluding known named pipes that are commonly accessed remotely. It focuses specifically on the EventID 5145, which pertains to access events involving the IPC$ share, hence, it plays a crucial role in detecting potential lateral movement or unauthorized remote execution attempts on Windows systems. The detection mechanism is reinforced by requiring the audit policy for 'Object Access > Audit Detailed File Share' to be enabled for successful execution. Additionally, the rule accounts for a list of known Named Pipes that could generate false positive alerts. The intent is to minimize unnecessary alerts while ensuring that unusual access patterns are reported for further investigation.