This detection rule focuses on identifying instances where the Windows Management Instrumentation (WMI) Event Consumer, specifically the executable \scrcons.exe, creates a named pipe. Named pipes are typically used for inter-process communication, and the creation of such pipes by WMI components can signify potentially malicious activity, such as post-exploitation behavior linked to malware like Cobalt Strike. This rule leverages Sysmon's logging capabilities for Named Pipe Events (Event ID 17 and Event ID 18) to track these occurrences. It is critical to ensure that Sysmon is configured correctly to record these events for effective detection. Additionally, guidance on configuring Sysmon logging can be found in established repositories, ensuring that users can readily implement this rule into their systems for enhanced security monitoring.