This detection rule identifies usage of known named pipes associated with Cobalt Strike by leveraging Sysmon EventID 17 and 18. Cobalt Strike is frequently used in post-exploitation by adversaries, making early detection crucial to mitigate potential breaches. The rule searches for specific named pipes that are typically utilized in Cobalt Strike operations. By monitoring these events, security teams can potentially detect commands sent to a Cobalt Strike beacon, enabling them to respond to unauthorized access and data exfiltration attempts. The rule includes provisions for filtering out possible false positives by analyzing the context in which the named pipes are used, thus allowing for a more precise incident response.