The rule detects privilege escalation attempts leveraging rogue named pipe impersonation on Windows systems. Adversaries can create malicious named pipes to trick privileged processes into connecting to them, thereby executing commands with elevated permissions. This detection is accomplished by querying for events associated with the creation of named pipes that contain the creation keyword pattern indicative of impersonation attempts. To function effectively, named pipe creation events must be enabled in Sysmon, and proper event ingestion configurations must be arranged to ensure all necessary event data is available for analysis. The rule highlights investigation techniques, potential false positives, and response actions to take when a suspicious event is detected.