The rule identifies privilege escalation attempts on Windows systems through named pipe impersonation, a technique that allows an attacker to execute code under the security context of a higher-level user, typically SYSTEM. The rule utilizes EQL (Event Query Language) to scrutinize process start events specifically targeting Windows OS. It looks for the command line arguments associated with CMD or PowerShell that involve redirection to named pipes. This is indicative of an attack scenario where an adversary may employ tools such as Metasploit to elevate their privileges. The rule also integrates various data sources such as Winlogbeat, Sysmon, and Microsoft Defender, making it comprehensive and suitable for detection within managed endpoint environments. It encompasses an analysis framework with triage steps, response measures, and an acknowledgment of potential false positives, enhancing its utility in real operational contexts.