The 'Alternate PowerShell Hosts Pipe' detection rule is designed to identify potentially malicious instances where alternative PowerShell hosts are employed to evade standard detection mechanisms that primarily monitor the execution of 'powershell.exe'. This detection focuses on event logging for named pipes created through various PowerShell hosts, which can be indicative of exploitation techniques such as lateral movement or command-and-control communications using PowerShell without the typical signature detection. The rule is contingent on Sysmon configurations that enable logging of named pipe events (specifically Event IDs 17 and 18). The detection conditions check for pipe names starting with '\PSHost', while applying several filters to refine alerts to specific execution contexts that could suggest a threat, including filtered exclusions for known legitimate processes like 'SQLPS.exe', 'gc_worker.exe', and various Citrix and Exchange Server processes. The overall intent of the rule is to enhance the visibility of potentially obfuscating PowerShell usage by leveraging less-common hosted execution environments. It is considered a medium-level alert due to the potential for false positives, notably from legitimate applications using PowerShell without invoking a dedicated interpreter.