This rule detects the creation of named pipes that utilize default names associated with the Koh tool, a known hack tool used for various forms of attacks including privilege escalation and credential theft. The detection relies on Sysmon logs specifically focusing on events related to named pipes. The selection criteria specify that the named pipe being monitored must contain either '\imposecost' or '\imposingcost', which are indicative of the Koh tool's operational methods. Proper configuration of Sysmon is required to capture these events, including ensuring Event ID 17 (named pipe created) and Event ID 18 (named pipe deleted) are logged. Reference links provide further guidance for setting up and testing this detection.