This detection rule identifies potential NTLM relay attacks targeting a computer account within a Windows environment. It focuses on detecting authentication events that may follow coercion attempts involving named pipes, which suggests an attacker is relaying the server's computer account hash to execute actions on behalf of the compromised system. The rule uses EQL to analyze logs for suspicious sequences starting from the past nine months. It leverages security logs to identify unusual authentication patterns and hostname discrepancies that could signify exploitation attempts. Furthermore, the rule includes investigation steps, false positive analyses, and remediation strategies to effectively handle identified incidents. The outlined rule enhances security by monitoring potentially malicious behavior linked to credential access, drawing from multiple data sources such as system security logs and Active Directory logs.