This detection rule targets suspicious activity indicative of Qakbot malware behavior, specifically monitoring for instances where a process creates or connects to a named pipe, as Qakbot utilizes named pipes for inter-process communication following code injection. It leverages Sysmon Event Codes 17 (Pipe Created) and 18 (Pipe Connected) and specifically focuses on known processes that are commonly abused by the Qakbot malware such as calculator, notepad, and others. The rule includes a regex filter to detect GUID-formatted named pipes, which are typically used for malicious purposes. If acting maliciously, such behavior can signal a Qakbot compromise that might lead to unauthorized data access or exfiltration.