This detection rule aims to identify the creation of named pipes that are typically associated with known Advanced Persistent Threat (APT) actors or malicious software. The rule leverages Sysmon logs by monitoring specific event IDs (17 and 18) to track the creation of named pipes within the Windows environment. Named pipes can serve as a method for processes to communicate with each other and can be exploited by malicious actors for data exfiltration or command and control (C2) operations. The rule includes specific named pipes that are commonly used in attacks and flags their creation as a critical security incident. To ensure accurate detection, the environment must be configured to log named pipe events appropriately, and tests should verify the functionality of the detection rule against known benign operations and legitimate use cases. This rule is particularly impactful as it can detect early signs of a possible intrusion where named pipes are being created by unauthorized entities.