This detection rule focuses on identifying the creation of named pipes within a Linux environment, specifically utilizing the `mkfifo` command. Named pipes are a method of interprocess communication that can be exploited by attackers for various malicious activities, including privilege escalation and establishing backdoors. The rule captures any process creation event where the image used ends with `/mkfifo`, indicating that a named pipe has been created. As named pipes can be used to facilitate communication between processes in both benign and malicious contexts, the detection of their creation is crucial for monitoring potentially unauthorized or illegitimate activities on a system. The rule has a low severity level and is intended to be used in conjunction with other security measures to enhance detection capabilities. As the rule is still in test status, organizations should monitor its effectiveness in their environments and adjust their security protocols accordingly.