This detection rule focuses on identifying potential forced authentication attempts originating from Linux hosts connecting to Windows systems via SMB Named Pipes. The core of this rule is based on the recognition of specific network activity that hints at attackers trying to exploit legitimate SMB connections to capture credential hashes or conduct relay attacks against Windows hosts. It employs a sequence detection logic in EQL (Event Query Language) to discern the suspicious network connections alongside related file access attempts, particularly noticing the interactions with critical named pipes such as 'Spoolss' and 'lsass', which are indicative of authentication behavior. The rule requires integration with Elastic Endpoint network events from Linux and Windows security logs for comprehensive monitoring, necessitating the configuration of detailed auditing on Windows machines for effective detection. The setup ensures that all defined parameters are met to facilitate accurate detection of potential credential access risks.