This detection rule identifies the creation of named pipes associated with Cobalt Strike, a well-known tool used by threat actors for post-exploitation tasks. By monitoring the creation of these pipes, security teams can effectively spot potential Cobalt Strike activity within their environments. The rule includes various named pipe prefixes that are commonly used by Cobalt Strike during its operations, such as '\MSSE-', '\postex_', and others. The detection logic uses the Sysmon tool to capture events related to named pipes. Proper configuration of Sysmon to log Events ID 17 and 18 is essential for this detection rule to function effectively. The detection logic requires at least one of the specified pipe name conditions to be met, thereby indicating suspicious behavior relating to Cobalt Strike usage. Security practitioners can use provided links to configure Sysmon and test the detection capabilities using Cobalt Strike or other scripts designed to interact with named pipes.