The Windows PUA Named Pipe analytic is designed to detect the creation or connection to named pipes frequently exploited by potentially unwanted applications (PUAs), such as certain VPNs and tools like PsExec. Utilizing Sysmon's EventCodes 17 and 18, this rule identifies potential misuse that could give attackers persistence, command and control capabilities, or facilitate further system compromise. The search pattern specifically filters out known legitimate applications, reducing the likelihood of false positives by excluding processes based on certain paths. Additionally, it utilizes a lookup table to identify named pipes associated with PUAs, allowing for enhanced visibility into suspicious activities involving named pipes on Windows systems.